A zero-day vulnerability in Windows Defender SmartScreen was recently exploited to spread the DarkMe malware. Microsoft has since released a patch to fix this exploit.
The zero-day, designated CVE-2024-21412, enabled the Water Hydra and DarkCasino hacker gang to spread the DarkMe remote access trojan. This confirmed Microsoft after Trend Micro researchers discovered the vulnerability on New Year’s Day.
MotW vulnerability
The vulnerability allowed a specially modified file to be sent to the victim, bypassing security controls in Windows Defender SmartScreen. This exploited the vulnerability in this software, which did not correctly apply the Windows Mark-of-the-Web (MotW) component.
MotW is an essential Windows component that alerts users when they open or run files from an untrusted source.
In the attack, however, an affected user could not be forced to view the content controlled by the hackers to continue the attack. The hackers still had to convince their victims to click on the malicious link through social manipulation, after which the malware was installed and could begin damaging work.
The CVE-2024-21412 vulnerability did not only apply to the DarkMe-RAT malware. It was also exploited to bypass Windows security prompts when opening URL files, allowing the Phemedrone info-stealer malware to be installed.
Financial gain
The hackers responsible from Water Hydra and DarkCasino used the vulnerability primarily for financial gain. Their targets were forex trading forums and Telegram channels in which stocks were traded. Among other things, they distributed a malicious stock chart that linked to a compromised trading information site from Russia, posing as a forex broker platform.
Microsoft has since indicated that the vulnerability has been fixed. However, a list of indicators is available to check whether systems may still be infected with the malware.
Tip: Microsoft Bitlocker encryption cracked in seconds with Raspberry Pi
19 hours ago
