Water Hydra Group Exploits Microsoft Defender SmartScreen Zero-Day Flaw – CybersecurityNews

Threat actors exploit Microsoft Defender SmartScreen zero-day flaws to circumvent the security mechanisms designed to protect users from malicious websites and downloads. 
By leveraging these vulnerabilities, threat actors can evade detection, gain unauthorized access, and execute potentially harmful actions.
Cybersecurity researchers at Tren Micro recently identified that threat actors behind the APT group Water Hydra (aka DarkCasino) have been actively exploiting Microsoft Defender SmartScreen zero-day flaw.
The Trend Micro Zero Day Initiative discovered the vulnerability as CVE-2024-21412, tracked as ZDI-CAN-23100.
Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .
The Water Hydra group emerged in 2021 and was found to be hitting the finance sector worldwide hard. Initially linked to Evilnum, they unveiled DarkMe RAT in the DarkCasino campaign (Sept 2022).
A streamlined infection process has been actively used by the Water Hydra group since later January 2024.
Water Hydra streamlined the DarkMe infection process in January 2024 by updating its infection chain and using CVE-2024-21412 to run a malicious Microsoft Installer File (.MSI).
Water Hydra’s spearphishing campaign (T1566.002) hit forex and stock trading forums using DarkMe malware. Social engineering tactics involved fake stock tools posted on a compromised Russian site (fxbulls[.]ru). 
Notably, this site shares a name with a legit broker (fxbulls[.]com), on the Apple App Store’s MT4 removed and later reinstated due to Russian sanctions.
The campaign tricks victims with an internet shortcut (.url), abusing the search protocol in Windows Explorer by exploiting the CVE-2024-21412. Water Hydra employs imagress.dll to disguise the shortcut as a JPEG that helps bypass SmartScreen and compromise Windows. 
An unusual twist involves referencing another internet shortcut (2.url) within the initial one by exploiting a SmartScreen zero-day (CVE-2023-36025).
Water Hydra manipulates Windows Explorer by tricking the users into triggering the CVE-2024-21412 exploit that enables the exploration of MotW flaws, and evades SmartScreen. The infection chain operates discreetly, as it’s undisclosed to the user. 
After SmartScreen bypasses the second 2.url executes a ZIP-embedded batch file from the WebDAV share by initiating the DarkMe DLL loader without user awareness. The entire process occurs stealthily by leaving users oblivious. 
Post-exploitation, the actor connects to a WebDAV server to download a genuine JPEG with the same name as the Trojan that deceives the victim into thinking they opened the intended file, unaware of the DarkMe infection.
⁤Zero-day attacks pose grave risks to organizations by exploiting undisclosed vulnerabilities like CVE-2023-38831 used by Water Hydra before disclosure. ⁤
⁤APT groups like APT28 and APT29 leverage such exploits by worsening threats. ⁤⁤Furthermore, bypassing patches like CVE-2023-36025 with CVE-2024-21412 underscores how APTs adapt to security measures.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

source

Related Posts

After 6 months and little explanation, Norton Healthcare patients, employees still feeling effects of cyber attack – WDRB

Spotty shower possible. Storms after midnight Updated: April 16, 2024 @ 12:31 pmNorton Healthcare, a company serving about 600,000 patients a year with nearly $5 billion in assets, continues to…

Read more

CA's top cybersecurity job has been vacant for almost 2 years – CalMatters

Technology Californians get hacked all the time. The state’s top cybersecurity job is vacant In summaryGov. Newsom has yet to appoint a commander who is tasked with informing businesses and…

Read more

13 Cyber Security Measures Your Small Business Must Take – Tech.co

Our content is funded in part by commercial partnerships, at no extra cost to you and without impact to our editorial impartiality. Click to Learn MoreCybersecurity has been important to…

Read more

AVG Antivirus Free review – Ghacks

AVG AntiVirus Free is a longstanding security program for Microsoft Windows that protects computer systems from viruses, trojans and other malicious code.One interesting fact about AVG is that it maintains…

Read more

Vlog Episode #247: Chris Long on Improving Technical SEO Skills & Playing Offense SEO – Search Engine Roundtable

In part one, we learned about Chris Long and his experience working with Bill Slawski. Then, in part two, we spoke about helping people with SEO on LinkedIn and using…

Read more

Information Security Vs. Cybersecurity: What's The Difference? – Forbes

Information Security Vs. Cybersecurity: What’s The Difference?  Forbessource

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *