Rewterz Threat Alert – Threat Actors Exploit New Windows Defender Zero-Day to Propagate DarkMe RAT – Active IOCs

Severity

High

Analysis Summary

A new Windows Defender SmartScreen zero-day was recently patched by Microsoft that was being exploited in the wild by a financially motivated threat group to distribute the DarkMe RAT malware.

The cybercriminal group, named Water Hydra or DarkCasino, was observed abusing the zero-day tracked as CVE-2024-21412 in attacks on New Year’s Day. The vulnerability can allow an unauthenticated user to send the targeted user a specially crafted file made to bypass security checks, but the attacker has no way to force a user to view the attacker-controlled content. To make the attack successful, the threat actor will have to convince the user to take action by clicking on the file link.

On top of that, the researchers discovered that the CVE-2024-21412 vulnerability bypasses a previously patched Windows Defender SmartScreen flaw tracked as CVE-2023-36025, which was patched during the November 2023 Patch Tuesday. Last month, it was also abused to bypass Windows security prompts when clicking on URL files to spread the Phemedrone information stealer malware.

The zero-day flaw that Microsoft recently patched was being used in attacks that targeted foreign exchange traders who participate in the high-stakes currency trading market, the final goal being likely to steal data or deploy ransomware at a later stage. In late December 2023, a campaign by the Water Hydra threat group that included the use of similar tactics, techniques, and procedures (TTPs) was observed. It abused internet shortcuts (.URL) and components for Web-based Distributed Authoring and Versioning (WebDAV). It was concluded that calling a shortcut in another shortcut proved to be enough to evade SmartScreen because it failed to properly apply Mark-of-the-Web (MotW), which is a critical Windows component responsible for alerting users when opening or running files from an untrusted source.

The Water Hydra group targeted forex trading platforms and forums by exploiting CVE-2024-21412 as well as stick trading Telegram channel in spear-phishing attacks by deploying a malicious stock chart that linked to a compromised trading information website from Russia that posed as a forex broker platform. The threat actors’ goal was to lure targeted traders into installing the DarkMe malware using social engineering.

The threat actors posted messages in English and Russian to ask for or offer trading guidance and spread fake stock and financial tools that are related to graph technical analysis and graph indicator tools. The Water Hydra group is known for exploiting other zero-day flaws in the past, like using CVE-2023-38831, a vulnerability with high severity, in the WinRAR software used by more than 500 million users to take over trading accounts many months before a patch was available to the public.

Later, the CVE-2023-38831 exploitation was attributed to various state-backed threat actor groups, such as the Sandworm, APT40, DarkPink, APT28, and Konni advanced persistent threat (APT) groups from China, Russia, and North Korea. Microsoft also released a patch for a second Windows SmartScreen zero-day tracked as CVE-2024-21351 that was exploited in the wild and could allow malicious actors to inject code into SmartScreen and execute code.

Impact

• Security Bypass
• Financial Loss
• Data Theft

Indicators of Compromise

Domain Name

87iavv.com

MD5

• f87b1582be230f1335a84b6607a8ea76
• b39eb1379b8c6c6dc1da8494091feca2
• ea51f318f9a2ece816278b1b7cbcc8b3
• 86414db063e18d170a4ba50d3c581738
• 64fe29f2ec8f224f76174339a04a8301
• 3453d05a0acbd06c8774c2ba16644a9f
• 0eb77205379dffffba1d8a4e9d1d806b
• ac410ff679d4ce0299952259399ee5a2
• e9eb066685313d1f783b20d9b1174558
• 409e7028f820e6854e7197cbb2c45d06
• 1b81357e3161759f68a610643bc0503b

SHA-256

• 1458a762332676f7807ab45f8f236c22a1a7bb0c21fcd8c779f972f2446a11d0
• 008e57d62caa8cfa991f5519eabe3f15d79799b81ba8cc6b67cde6da0dbffdab
• e1b903eba88b920909876442306e1160eed9b69c69a05ea370cba2121e305ba1
• fb67be10a5a8b26ca86f8f79935ddd4a5b40379bb6d0af21d23f56af14bb2a90
• 135cfefe353ca57d24cfb7326f6cf99085f8af7d1785f5967b417985e8a1153c
• 252351cb1fb743379b4072903a5f6c5d29774bf1957defd9a7e19890b3f84146
• 6e825a6eb4725b82bd534ab62d3f6f37082b7dbc89062541ee1307ecd5a5dd49
• 71d0a889b106350be47f742495578d7f5dbde4fb36e2e464c3d64c839b1d02bc
• b69d36e90686626a16b79fa7b0a60d5ebfd17de8ada813105b3a351d40422feb
• bf9c3218f5929dfeccbbdc0ef421282921d6cbc06f270209b9868fc73a080b8c
• dc1b15e48b68e9670bf3038e095f4afb4b0d8a68b84ae6c05184af7f3f5ecf54

SHA-1

• 4898c97014c87e4c13f1b61b1760f43381627fed
• 8280299d3f6d4e2dc27b9abb74241b11a1dabc4b
• 0fb64c439261634b967efb7c4c22f1c17dc6970f
• 91c726b01f5e160a6f4bb25930890313ea46e276
• dcd8c690094359e8cb49c4611ef32abda34d9b0d
• 0b9a82356134087c4bb62f78496b5461b9fcc572
• 6993dfa54b56475938e66d5caeab92639bdbadd3
• d16b7a028f2af54d24ea72cd5f2733b848e28436
• 5f11dd1b4e20bcfb7cabd502488667b23e4281db
• d41c5a3c7a96e7a542a71b8cc537b4a5b7b0cae7
• 9682a044b93e02f31b6c2c579e10a508ab9bf7ef

Remediation

• Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.