Microsoft fixes a SmartScreen vulnerability that was used to distribute DarkGate malware


Russian Hackers

Microsoft recently addressed a critical vulnerability in its SmartScreen feature that threat actors exploited to distribute the DarkGate malware. Security network company Trend Micro recently released a report showing evidence that hackers exploited the Windows Defender SmartScreen vulnerability to bypass security checks and automatically install fake software installers to distribute DarkGate malware. The vulnerability tracking number is CVE-2024-21412 and it exists in Windows Defender SmartScreen. Attackers can create special files to bypass the security review of Microsoft systems.

This kind of special file is mainly a Windows Internet shortcut (.url file). Hackers can exploit the vulnerability to create another .url file pointed to a remote SMB share hosting to perform related operations.

Trend Micro said that the Water Hydra hacking group has exploited this zero-day vulnerability to plant DarkMe malware on the traders’ systems. Microsoft released a patch to fix the vulnerability during Patch Tuesday in February this year.

SmartScreen Vulnerability Overview

The vulnerability, identified as CVE-2024-21412, allowed threat actors to inject code into SmartScreen, potentially leading to code execution and system compromise. Exploiting this flaw enabled attackers to bypass Microsoft Defender SmartScreen and infect victims with the DarkMe remote access trojan.

CVE-2024-21412 is a zero-day vulnerability, meaning it was exploited before a patch was available. This highlights the importance of proactive research in checking and mitigating vulnerabilities promptly to protect customers, employees, and systems from attacks that exploit these vulnerabilities.

Exploiting the CVE-2024-21412 SmartScreen vulnerability

Exploitation by Threat Actors

The Water Hydra APT group, also known as DarkCasino, utilized this vulnerability to target various sectors like banks, cryptocurrency platforms, and gambling sites globally. By disguising internet shortcuts as JPEG images, threat actors could exploit CVE-2024-21412 to compromise Windows hosts and execute their attack chain.

Gizchina News of the week


Impact on Users

All currently supported Windows client versions were affected by this vulnerability, emphasizing the widespread impact of the SmartScreen flaw. The exploitation of such vulnerabilities underscores the importance of timely patching and proactive security measures to mitigate risks.

The users most at risk are those using Microsoft Windows Defender, but the risk is lower for those with multivendor layered security in place. Trend Micro customers who have implemented Intrusion Prevention System (IPS) technologies are at the lowest risk. Trend Micro has been protecting enterprises from cyber attacks for over three decades, and their Zero Day Initiative (ZDI) threat – hunting teams and Trend Micro products work together to identify new threats in the wild and build proactive protections for their customers.

Install MSI file via second .url shortcut

To tackle the risk, Trend Micro customers have been protected from CVE-2024-21412 since January 17, 2024. Other users can now update their system since Microsoft now have an official patch. Organizations need to address the bug and update their systems to the latest patched version to prevent exploitation by threat actors.

Read Also:  Microsoft Ends Support for Windows 11 Versions 21H2 and 22H2

Trend Micro’s Protection Measures

Trend Micro provided virtual patching against CVE-2024-21412 since January 17, offering additional protection to customers alongside Microsoft’s official patch. This proactive approach highlights the significance of comprehensive security solutions in safeguarding against evolving cyber threats.

Conclusion

In summary, a critical vulnerability (CVE-2024-21412) was discovered in Microsoft’s SmartScreen feature. Threat actors exploited to distribute the DarkGate malware. The vulnerability exists in Windows Defender SmartScreen and allows attackers to bypass security checks and automatically install fake software installers. The Water Hydra APT group, also known as DarkCasino, exploited this zero-day vulnerability. They used it to target various sectors globally, including banks, digital currency platforms, and gambling sites.

The vulnerability was exploited by fake internet shortcuts such as JPEG images. When these images are selected, the threat actor bypasses Microsoft Defender SmartScreen. With this, it fully compromises the Windows host. Microsoft released a patch to fix the vulnerability during Patch Tuesday in February 2024. Trend Micro provided virtual patching against CVE-2024-21412 since January 17, 2024, offering additional protection to customers alongside Microsoft’s official patch. Organizations are advised to address the bug and update their systems to the latest patched version. This is to prevent exploitation by threat actors.

Disclaimer: We may be compensated by some of the companies whose products we talk about, but our articles and reviews are always our honest opinions. For more details, you can check out our editorial guidelines and learn about how we use affiliate links.

Source/VIA :
Previous iQOO Z9 Turbo Leaked With Power of Snapdragon 8S Gen 3
Next How to prevent Google from voice search recording on Android