Microsoft have patched a zero-day being used to bypass Microsoft Defender SmartScreen.
The vulnerability, CVE-2024-21412, started being tracked in December 2023 and was being used to bypass another Defender SmartScreen vulnerability, CVE-2023-36025, and infect victims' computers with the DarkMe malware.
The Trend Micro Zero Day Initiative discovered CVE-2024-21412 after it observed the group, Water Hydra - a.k.a. DarkCasino - using "similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL) and Web-based Distributed Authoring and Versioning (WebDAV) components." Water Hydra were using the vulnerability to target financial market traders.
Compromising a victim's computer wasn't as simple as 'attack and infect'. Some cajoling was needed and, for a successful attack to work, a hacker must not only send the potential victim a malicious file, but then convince them to open it.
Trend Micro Zero Day Initiative researchers Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun explained that this was done by linking from a landing page to a malicious WebDAV share with a filtered crafted view.
"When users click on the link, the browser will ask them to open the link in Windows Explorer," wrote the researchers. "This is not a security prompt, so the user might not think that this link is malicious."
Water Hydra also - sneakily - used the Windows Image Resource icon library and changed the image icon to add further legitimacy to their attack. Assuming the victim fell for this, Water Hydra was able to then fully compromise the host.
CVE-2024-21412 was fixed in Microsoft's February Patch Tuesday.
