Microsoft fixes SmartScreen vulnerability that was used to spread DarkGate malware

Microsoft recently addressed a critical vulnerability in its SmartScreen feature that threats have been exploiting to spread DarkGate malware. Safety net company Trend Micro recently published a report showing evidence that hackers used the Windows Defender SmartScreen vulnerability to bypass security checks and automatically install fake software installers to distribute the DarkGate malware. The vulnerability tracking number is CVE-2024-21412 and it exists in Windows Defender SmartScreen. Attackers can create special files to bypass security checks on Microsoft systems.

This kind of special file is mainly a Windows Internet Shortcut (.url file). Hackers could use the vulnerability to create another .url file pointing to a remote SMB shared hosting to perform related operations.

Trend Micro said the Water Hydra hacking group used this zero-day vulnerability to plant DarkMe malware on merchants’ systems. Microsoft released a patch to fix the vulnerability during Patch Tuesday in February this year.

SmartScreen Vulnerability Overview

The vulnerability, identified as CVE-2024-21412, allowed threat actors to inject code into SmartScreen, potentially leading to code execution and system compromise. Exploitation of this flaw allowed attackers to bypass Microsoft Defender SmartScreen and infect victims with the DarkMe remote access Trojan.

CVE-2024-21412 is a zero-day vulnerability, meaning it was exploited before a patch was available. This underscores the importance of proactively investigating and mitigating vulnerabilities immediately to protect customers, employees, and systems from attacks that exploit these vulnerabilities.

Threat exploitation

The Water Hydra APT group, also known as DarkCasino, used this vulnerability to target various sectors such as banks, cryptocurrency platforms, and gambling sites worldwide. By masquerading Internet shortcuts as JPEG images, threat actors can exploit CVE-2024-21412 to compromise Windows hosts and execute their attack chain.

Impact on users

All currently supported client versions of Windows were affected by this vulnerability, highlighting the widespread impact of the SmartScreen flaw. Exploitation of such vulnerabilities highlights the importance of timely remediation and proactive security measures to mitigate risks.

The users most at risk are those using Microsoft Windows Defender, but the risk is lower for those with multi-layered protection from different vendors. Trend Micro customers who have implemented Intrusion Prevention System (IPS) technologies are at the lowest risk. Trend Micro has been protecting enterprises from cyberattacks for more than three decades, and their Zero Day Initiative (ZDI) threat hunting teams and Trend Micro products work together to identify emerging threats in the wild and build proactive defenses for their customers.

To address the risk, Trend Micro customers are protected by CVE-2024-21412 as of January 17, 2024. Other users can now update their system as Microsoft now has an official fix. Organizations should address the bug and update their systems to the latest version with patches to prevent exploitation by threats.

Trend Micro security measures

Trend Micro provided a virtual patch against CVE-2024-21412 as of January 17, offering additional protection to customers alongside Microsoft’s official patch. This proactive approach underscores the importance of comprehensive security solutions in defending against evolving cyber threats.

Conclusion

In summary, a critical vulnerability (CVE-2024-21412) was discovered in Microsoft’s SmartScreen feature. Threat actors exploited to distribute DarkGate malware. The vulnerability exists in Windows Defender SmartScreen and allows attackers to bypass security checks and automatically install fake software installers. The Water Hydra APT group, also known as DarkCasino, has been taking advantage of this zero-day vulnerability. They used it to target various sectors globally, including banks, digital currency platforms and gambling sites.

The vulnerability was exploited by fake Internet shortcuts such as JPEG images. When these images are selected, the threat bypasses Microsoft Defender SmartScreen. By doing this, it completely compromises the Windows host. Microsoft released a patch to address the vulnerability during Patch Tuesday in February 2024. Trend Micro provided a virtual patch against CVE-2024-21412 on January 17, 2024, offering additional protection to customers along with Microsoft’s official patch. Organizations are advised to address the bug and update their systems to the latest patched version. This is to prevent exploitation by threats.