DarkMe Malware

A recently revealed security vulnerability in Microsoft Defender SmartScreen has been utilized as a zero-day exploit by an advanced persistent threat group known as Water Hydra, also identified as DarkCasino. The primary targets of this attack are individuals involved in financial market trading. The researchers discovered this malicious campaign in December 2023.

The attackers are taking advantage of CVE-2024-21412, a security bypass vulnerability associated with Internet Shortcut Files (.URL). In the attack sequence, the threat actor utilizes CVE-2024-21412 to circumvent Microsoft Defender SmartScreen and introduce the DarkMe malware to infect unsuspecting victims.

Microsoft has since addressed this vulnerability in its February Patch Tuesday update. According to the company, an unauthenticated hacker could take advantage of the flaw by remiting a specially crafted file to the targeted user, allowing them to bypass security checks. However, the success of the exploitation relies on the threat actor convincing the victim to click on the file link and view the content controlled by the attacker.

The DarkMe Malware is Deployed via a Multi-stage Attack Chain

DarkMe exhibits the capability not only to download and execute additional instructions but also to register itself with a Command-and-Control (C2) server and collect information from the compromised system.

During the observed infection process, the exploit of CVE-2024-21412 is employed to deploy a harmful installer file ('7z.msi'). This is achieved by enticing victims to click on a booby-trapped URL ('fxbulls.ru'), which is disseminated through forex trading forums. The lure is presented under the guise of sharing a link to a stock chart image. However, the actual content of the link is an internet shortcut file ('photo_2023-12-29.jpg.url').

The landing page on 'fxbulls.ru' features a link leading to a threatening WebDAV share with a carefully crafted filtered view. When users click on this link, the browser prompts them to open it in Windows Explorer. Notably, this does not trigger a security prompt, potentially leading the user to overlook the unsafe nature of the link.

A noteworthy aspect of this scheme is the threat actor's exploitation of the search application protocol, commonly used for calling the desktop search application on Windows. This protocol has been misused in the past to deliver malware. The actor's clever manipulation of this protocol adds an additional layer of deception to the infection process.

APT (Advanced Persistent Threat) Groups Often Exploit Zero-Day Vulnerabilities

This distinctive approach to referencing used in the DarkMe infection chain arises from the utilization of a shortcut within another shortcut, which has proved effective in circumventing SmartScreen. In this instance, SmartScreen fails to appropriately apply the Mark of the Web (MotW), a crucial Windows component designed to alert users when opening or running files from untrusted sources.

The ultimate objective of this campaign is to surreptitiously deliver a Visual Basic Trojan known as DarkMe in the background. Simultaneously, the campaign maintains a deceptive facade by displaying a stock graph to the victim, concealing the true nature of the exploitation and infection chain.

It's noteworthy that newly discovered zero-day vulnerabilities, often identified by cybercrime groups, can find their way into the arsenals of nation-state hacking groups. These sophisticated attackers, such as Water Hydra, possess the technical expertise and tools required to uncover and exploit zero-day vulnerabilities in advanced campaigns. This enables them to deploy highly destructive malware like DarkMe, showcasing their capability to execute intricate and potent attacks.