Water Hydra Group Exploits Microsoft Defender SmartScreen Zero-Day Flaw

by Esmeralda McKenzie
Water Hydra Group Exploits Microsoft Defender SmartScreen Zero-Day Flaw

Water Hydra Group Exploits Microsoft Defender SmartScreen Zero-Day Flaw

Water Hydra Community Exploits Microsoft Defender SmartScreen Zero-Day Flaw

Threat actors exploit Microsoft Defender SmartScreen zero-day flaws to avoid the protection mechanisms designed to present protection to customers from malicious websites and downloads.

By leveraging these vulnerabilities, risk actors can evade detection, produce unauthorized fetch admission to, and fabricate potentially vulgar actions.

EHA

Cybersecurity researchers at Tren Micro currently identified that risk actors on the support of the APT neighborhood Water Hydra (aka DarkCasino) were actively exploiting Microsoft Defender SmartScreen zero-day flaw.

The Vogue Micro Zero Day Initiative learned the vulnerability as CVE-2024-21412, tracked as ZDI-CAN-23100.

File

Stay Legend Takeover Attack Simulation

How fabricate Hackers Bypass 2FA?

Stay assault simulation Webinar demonstrates various ways whereby story takeover can occur and practices to present protection to your websites and APIs against ATO assaults .

Water Hydra Exploits Microsoft SmartScreen

The Water Hydra neighborhood emerged in 2021 and used to be learned to be hitting the finance sector worldwide laborious. First and most well-known linked to Evilnum, they unveiled DarkMe RAT within the DarkCasino advertising and marketing campaign (Sept 2022).

A streamlined infection course of has been actively aged by the Water Hydra neighborhood since later January 2024.

Attack chain aged by Water Hydra (Source - Vogue Micro)
Attack chain aged by Water Hydra (Source – Vogue Micro)

Water Hydra streamlined the DarkMe infection course of in January 2024 by updating its infection chain and the utilization of CVE-2024-21412 to bustle a malicious Microsoft Installer File (.MSI).

Up up to now assault chain (Source - Vogue Micro)
Up up to now assault chain (Source – Vogue Micro)

Water Hydra’s spearphishing advertising and marketing campaign (T1566.002) hit forex and inventory trading forums the utilization of DarkMe malware. Social engineering tactics keen unsuitable inventory tools posted on a compromised Russian space (fxbulls[.]ru).

Particularly, this space shares a name with a legit dealer (fxbulls[.]com), on the Apple App Store’s MT4 eradicated and later reinstated attributable to Russian sanctions.

Malicious touchdown page (Source -Vogue Micro)
Malicious touchdown page (Source -Vogue Micro)

The advertising and marketing campaign tricks victims with an web shortcut (.url), abusing the quest protocol in Windows Explorer by exploiting the CVE-2024-21412. Water Hydra employs imagress.dll to conceal the shortcut as a JPEG that helps bypass SmartScreen and compromise Windows.

An irregular twist involves referencing any other web shortcut (2.url) one day of the preliminary one by exploiting a SmartScreen zero-day (CVE-2023-36025).

Water Hydra manipulates Windows Explorer by tricking the customers into triggering the CVE-2024-21412 exploit that permits the exploration of MotW flaws, and evades SmartScreen. The infection chain operates discreetly, because it’s undisclosed to the user.

After SmartScreen bypasses the second 2.url executes a ZIP-embedded batch file from the WebDAV half by initiating the DarkMe DLL loader without user awareness. Your total course of occurs stealthily by leaving customers oblivious.

Put up-exploitation, the actor connects to a WebDAV server to fetch an exact JPEG with the same name because the Trojan that deceives the victim into pondering they opened the intended file, blind to the DarkMe infection.

⁤Zero-day assaults pose grave risks to organizations by exploiting undisclosed vulnerabilities cherish CVE-2023-38831 aged by Water Hydra sooner than disclosure. ⁤

⁤APT teams cherish APT28 and APT29 leverage such exploits by worsening threats. ⁤⁤Furthermore, bypassing patches cherish CVE-2023-36025 with CVE-2024-21412 underscores how APTs adapt to security features.

Source credit : cybersecuritynews.com

Related Posts