The Trend Micro Zero Day Initiative (ZDI) has recently unearthed a critical vulnerability, identified as CVE-2024-21412, which they’ve dubbed ZDI-CAN-23100.
The flaw was reported to Microsoft as part of a Microsoft Defender SmartScreen bypass utilized in a complex zero-day attack chain orchestrated by the APT group known as Water Hydra (AKA DarkCasino). Their targets were financial market traders.
Beginning in late December 2023, Trend Micro observed a campaign by Water Hydra employing similar tools, tactics and procedures (TTPs) that involved exploiting internet shortcuts (.URL) and Web-based Distributed Authoring and Versioning (WebDAV) components.
In this attack, CVE-2024-21412 was used to evade Microsoft Defender SmartScreen and implant victims with the DarkMe malware. Through collaboration with Microsoft, the ZDI bug bounty program ensured swift disclosure and patching of this vulnerability.
Read more about this patch: Microsoft Fixes Two Zero-Days in February Patch Tuesday
The Water Hydra group, initially mistaken for the Evilnum APT group due to similarities in phishing techniques, has been active since 2021, primarily targeting the financial industry. Notably, they’ve exploited vulnerabilities such as CVE-2023-38831 and have showcased a high level of technical sophistication.
The Water Hydra attack chain, unveiled by Trend Micro in an advisory published on Tuesday, involves intricate methods to lure victims, including spear-phishing campaigns on forex and stock trading forums. They exploit the “search: protocol” to manipulate Windows Explorer views and deceive users into clicking malicious internet shortcut files.
Further analysis revealed that Water Hydra leveraged CVE-2024-21412 to bypass Microsoft Defender SmartScreen. By employing a cascade of internet shortcuts, they evaded security measures and executed malicious payloads, such as the DarkMe malware, without users’ knowledge.
According to Trend Micro, Water Hydra’s modus operandi underscores the severity of zero-day threats in cybersecurity.
“When faced with uncertain intrusions, behaviors and routines, organizations should assume that their system is already compromised or breached and work to immediately isolate affected data or toolchains,” reads the advisory.
“With a broader perspective and rapid response, organizations can address breaches and protect their remaining systems.”