DarkMe Malware Exploits Known Vulnerability
A recently revealed security vulnerability in Microsoft Defender SmartScreen has been exploited as a zero-day attack by an advanced persistent threat actor named Water Hydra, also known as DarkCasino. The targets of this campaign are individuals involved in financial market trading.
Reaearchers who initiated tracking this campaign in late December 2023, disclosed that the exploit involves CVE-2024-21412, a security bypass vulnerability related to Internet Shortcut Files (.URL). According to a report released on Tuesday by the cybersecurity firm, the threat actor used CVE-2024-21412 to circumvent Microsoft Defender SmartScreen and introduce the DarkMe malware to victims.
Microsoft addressed this flaw in its February Patch Tuesday update, acknowledging that an unauthorized attacker could take advantage of the vulnerability by sending a specially crafted file to the targeted user, thereby bypassing security checks.
DarkMe Distributed Through Malicious MSI Installer
The success of the exploitation relies on the threat actor convincing the victim to click on the file link and view the attacker-controlled content. Researchers outlined the infection process, detailing how CVE-2024-21412 is exploited to drop a malicious installer file ("7z.msi") through a booby-trapped URL ("fxbulls.ru") distributed on forex trading forums under the guise of sharing a link to a stock chart image, which is actually an internet shortcut file ("photo_2023-12-29.jpg.url").
The landing page on fxbulls.ru includes a link to a malicious WebDAV share with a carefully crafted view. When users click on this link, the browser prompts them to open the link in Windows Explorer, creating a deceptive appearance of non-malicious activity.
The threat actor manipulates the search: application protocol, used to call the desktop search application on Windows, to deliver the malware. The malicious internet shortcut file points to another internet shortcut file hosted on a remote server ("2.url"), which, in turn, points to a CMD shell script within a ZIP archive on the same server ("a2.zip/a2.cmd").
This unconventional referencing method aims to evade SmartScreen, which fails to properly apply Mark of the Web (MotW), a crucial Windows component that warns users when opening or running files from an untrusted source.
The ultimate objective of the campaign is to surreptitiously deliver the DarkMe Visual Basic trojan while displaying a stock graph to the victim, maintaining the deception throughout the exploitation and infection process. DarkMe possesses capabilities to download and execute additional instructions, register itself with a command-and-control (C2) server, and gather information from the compromised system.
