DarkMe Malware Exploits Zero-Day Vulnerability in Microsoft SmartScreen , Targeting Financial Traders

Stay vigilant and keep your devices updated to avoid such threats

3 min. read

Updated onFebruary 16, 2024

updated onFebruary 16, 2024

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

In an alarming discovery,Trend Micro’s cybersecurity researchershave disclosed that an advanced persistent threat actor called Water Hydra or DarkCasino has exploited a security flaw in Microsoft Defender SmartScreen as a zero-day vulnerability.

The researchers have been tracking this malicious campaign since late December 2023, and this involves the exploitation of CVE-2024-21412, a security bypass vulnerability associated with Internet Shortcut Files (.URL)

In a report on Tuesday, the cybersecurity firm said:

In this attack chain, the threat actor leveraged CVE-2024-21412 to bypassMicrosoft Defender SmartScreenand infect victims with the DarkMe malware.

Microsoft has fixed the vulnerability in its February Patch Tuesday update and warned that an unsubstantiated attacker could take advantage of the flaw by sending a carefully crafted file to the targeted person, thereby circumventing the displayed security checks.

However, the attack will only be successful if the victim clicks the file link and views the content controlled by the attacker.

The infection process, as Trend Micro describes, involves the exploitation ofCVE-2024-21412to drop a malicious installer file7z.msi.

This happens if the victim clicks on the malicious link(fxbulls[.]ru), which is distributed through Forex Trading forums.

The URL is disguised as a link to a stock chart image, but it actually takes you to an internet shortcut file(photo_2023-12-29.jpg.url)

According to security researchers, Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun:

The landing page on fxbulls[.]ru contains a link to a malicious WebDAV share with a filtered crafted view. When users click on this link, the browser will ask them to open the link in Windows Explorer. This is not a security prompt, so the user might not think that this link is malicious.

The threat actor takes advantage of thesearch: application protocol, which is used to call the desktop search application on Windows and is infamous for being abused in the past to deliver malware.

This deceptive internet shortcut file points to another hosted on a remover2.url, which directs to a Command Prompt shell script within a ZIP archive,a2.zip/a2.cmd.

The complexity of this referencing strategy serves to avoid SmartScreen, as it fails to properly apply the Mark of the Web, a vital Windows component that warns you when you open files from untrusted sources.

The final objective of the campaign is to

The final objective of the campaign is to cautiously deliver the Visual Basic trojan called DarkMe while keeping up the facade of displaying a stick graph to the affected user throughout the exploitation and infection chain.

DarkMe can download and execute extra instructions, connect with a command-and-control (C2) server, and collect information from the compromised device.

The discovery of this zero-day exploit has raised concerns about the advancement of hacker tactics.

The researchers at Trend Micro also mentioned:

Water Hydra possess the technical knowledge and tools to discover and exploit zero-day vulnerabilities in advanced campaigns, deploying highly destructive malware such as DarkMe.

As the cybersecurity community deals with these emerging threats, it is better to stay vigilant and make sure you install all security updates to keep your devices protected against ever-evolving cyber threats.

What steps do you take to avoid these attacks? Share the tips & tricks you follow to stay away from these threats in the comments section below.

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low#

Copilot in Outlook will generate personalized themes for you to customize the app#

Microsoft will raise the price of its 365 Suite to include AI capabilities#

Death Stranding Director’s Cut is now Xbox X|S at a huge discount#

Outlook will let users create custom account icons so they can tell their accounts apart easier#

DarkMe Malware Exploits Zero-Day Vulnerability in Microsoft SmartScreen , Targeting Financial Traders#

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

DarkMe Malware Exploits Zero-Day Vulnerability in Microsoft SmartScreen , Targeting Financial Traders