Feb 14, 2024NewsroomZero-Day / Financial Sector Security

A newly disclosed security flaw in the Microsoft Defender SmartScreen has been exploited as a zero-day by an advanced persistent threat actor called Water Hydra (aka DarkCasino) targeting financial market traders.

Trend Micro, which began tracking the campaign in late December 2023, said it entails the exploitation of CVE-2024-21412, a security bypass vulnerability related to Internet Shortcut Files (.URL).

“In this attack chain, the threat actor leveraged CVE-2024-21412 to bypass Microsoft Defender SmartScreen and infect victims with the DarkMe malware,” the cybersecurity firm said in a Tuesday report.

Microsoft, which addressed the flaw in its February Patch Tuesday update, said an unauthenticated attacker could exploit the flaw by sending the targeted user a specially crafted file in order to bypass displayed security checks.

However, successful exploitation banks on the prerequisite that the threat actor convinces the victim to click on the file link to view the attacker-controlled content.

The infection procedure documented by Trend Micro exploits CVE-2024-21412 to drop a malicious installer file (“7z.msi”) by clicking on a booby-trapped URL (“fxbulls[.]ru”) distributed via forex trading forums under the pretext of sharing a link to a stock chart image that, in reality, is an internet shortcut file (“photo_2023-12-29.jpg.url”).

“The landing page on fxbulls[.]ru contains a link to a malicious WebDAV share with a filtered crafted view,” security researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun said.

“When users click on this link, the browser will ask them to open the link in Windows Explorer. This is not a security prompt, so the user might not think that this link is malicious.”

The clever trick that makes this possible is the threat actor’s abuse of the search: application protocol, which is used for calling the desktop search application on Windows and has been abused in the past to deliver malware.

The rogue internet shortcut file, for its part, points to another internet shortcut file hosted on a remote server (“2.url”), which, in turn, points to a CMD shell script within a ZIP archive hosted on the same server (“a2.zip/a2.cmd”).

This unusual referencing stems from the fact that “calling a shortcut within another shortcut was sufficient to evade SmartScreen, which failed to properly apply Mark of the Web (MotW), a critical Windows component that alerts users when opening or running files from an untrusted source.”

The end goal of the campaign is to deliver a Visual Basic trojan known as DarkMe stealthily in the background while displaying the stock graph to the victim to keep up the ruse upon completion of the exploitation and infection chain.

DarkMe comes with capabilities to download and execute additional instructions, alongside registering itself with a command-and-control (C2) server and gathering information from the compromised system.

The development comes amid a new trend where zero-days found by cybercrime groups end up getting incorporated into attack chains deployed by nation-state hacking groups to launch sophisticated attacks.

“Water Hydra possess the technical knowledge and tools to discover and exploit zero-day vulnerabilities in advanced campaigns, deploying highly destructive malware such as DarkMe,” the researchers said.

Feb 05, 2024NewsroomMalware / Financial Security

The threat actors behind the Mispadu banking Trojan have become the latest to exploit a now-patched Windows SmartScreen security bypass flaw to compromise users in Mexico.

The attacks entail a new variant of the malware that was first observed in 2019, Palo Alto Networks Unit 42 said in a report published last week.

Propagated via phishing mails, Mispadu is a Delphi-based information stealer known to specifically infect victims in the Latin American (LATAM) region. In March 2023, Metabase Q revealed that Mispadu spam campaigns harvested no less than 90,000 bank account credentials since August 2022.

It’s also part of the larger family of LATAM banking malware, including Grandoreiro, which was dismantled by Brazilian law enforcement authorities last week.

The latest infection chain identified by Unit 42 employs rogue internet shortcut files contained within bogus ZIP archive files that leverage CVE-2023-36025 (CVSS score: 8.8), a high-severity bypass flaw in Windows SmartScreen. It was addressed by Microsoft in November 2023.

“This exploit revolves around the creation of a specifically crafted internet shortcut file (.URL) or a hyperlink pointing to malicious files that can bypass SmartScreen’s warnings,” security researchers Daniela Shalev and Josh Grunzweig said.

“The bypass is simple and relies on a parameter that references a network share, rather than a URL. The crafted .URL file contains a link to a threat actor’s network share with a malicious binary.”

Mispadu, once launched, reveals its true colors by selectively targeting victims based on their geographic location (i.e., Americas or Western Europe) and system configurations, and then proceeds to establish contact with a command-and-control (C2) server for follow-on data exfiltration.

In recent months, the Windows flaw has been exploited in the wild by multiple cybercrime groups to deliver DarkGate and Phemedrone Stealer malware in recent months.

Mexico has also emerged as a top target for several campaigns over the past year that have been found to propagate information stealers and remote access trojans like AllaKore RAT, AsyncRAT, Babylon RAT. This constitutes a financially-motivated group dubbed TA558 that has attacked the hospitality and travel sectors in the LATAM region since 2018.

The development comes as Sekoia detailed the inner workings of DICELOADER (aka Lizar or Tirion), a time-tested custom downloader used by the Russian e-crime group tracked as FIN7. The malware has been observed delivered via malicious USB drives (aka BadUSB) in the past.

“DICELOADER is dropped by a PowerShell script along with other malware of the intrusion set’s arsenal such as Carbanak RAT,” the French cybersecurity firm said, calling out its sophisticated obfuscation methods to conceal the C2 IP addresses and the network communications.

It also follows AhnLab’s discovery of two new malicious cryptocurrency mining campaigns that employ booby-trapped archives and game hacks to deploy miner malware that mine Monero and Zephyr.