📗 Date: 14 Feb, 2024
Source: Security Week

One of the zero-day vulnerabilities patched by Microsoft with its latest Patch Tuesday updates has been exploited in attacks aimed at financial market traders by a threat group tracked as Water Hydra and DarkCasino, according to Trend Micro.

Microsoft on Tuesday announced patches for more than 70 vulnerabilities, including three flaws that have been exploited in attacks as zero-days. Two of the zero-days, CVE-2024-21412 and CVE-2024-21351, have been described as security feature bypasses.

Trend Micro has published a blog post describing attacks exploiting CVE-2024-21412. It’s worth noting that, in addition to Trend Micro’s Zero Day Initiative, Microsoft credited Aura Information Security and Google’s Threat Analysis Group for reporting this vulnerability.

Trend Micro said it discovered CVE-2024-21412 during an analysis into a Water Hydra campaign it started tracking in late December 2023. The attacks involved the abuse of internet shortcuts (.url) and Web-based Distributed Authoring and Versioning (WebDAV) components.

The attackers had exploited CVE-2024-21412 to bypass Microsoft Defender SmartScreen and deliver a piece of malware named DarkMe to financial market traders.

According to Microsoft, this vulnerability impacts Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11. It can be exploited by getting the targeted user to open a specially crafted file designed to bypass displayed security checks.

Trend Micro said Water Hydra has been around since at least 2021, mainly targeting the financial industry, including gambling websites, casinos, forex and stock trading platforms, banks, and cryptocurrency services.

Water Hydra was initially linked to a Russian-speaking financially motivated hack-for-hire group named EvilNum, but it’s now believed to be a separate cybercrime group. The threat actor was previously observed exploiting a WinRAR zero-day.

Trend Micro’s blog post contains detailed information on how the attackers tricked users into clicking on a malicious internet shortcut file disguised as a harmless image file.

“We concluded that calling a shortcut within another shortcut was sufficient to evade SmartScreen, which failed to properly apply Mark-of-the-Web (MotW), a critical Windows component that alerts users when opening or running files from an untrusted source,” Trend Micro explained.

The DarkMe malware delivered in this campaign enables the attackers to enumerate folder content, create and delete folders, execute shell commands, obtain system information, and generate a ZIP file from a given path.

Scroll to Top