Updated January-February 2024 attack chain

In January 2024, Water Hydra updated its infection chain exploiting CVE-2024-21412 to execute a malicious Microsoft Installer File (.MSI), streamlining the DarkMe infection process.

Infection chain analysis

In this section, we will analyze the full Water Hydra campaign exploiting CVE-2024-21412 to bypass Microsoft Defender SmartScreen to infect users with DarkMe malware.

Initial Access: spearphishing attempts on forex forums

In the attack chain, Water Hydra deployed a spearphishing campaign (T1566.002) on forex trading forums and stock trading Telegram channels to lure potential traders into infecting themselves with DarkMe malware using various social engineering techniques, such as posting messages asking for or providing trading advice, sharing fake stock and financial tools revolving around graph technical analysis, graph indicator tools, all of which were accompanied by a URL pointing to a trojan horse stock chart served from a compromised Russian trading and cryptocurrency information site (fxbulls[.]ru).

It’s interesting to note that this compromised WordPress site shares the same name as an actual forex broker, fxbulls[.]com, but is hosted on a Russian (.ru) domain.

The fxbulls[.]com broker uses the MetaTrader 4 (MT4) trading platform, which was removed from the Apple App Store in September 2022 due to Western sanctions against Russia. However, Apple reinstated both MT4 and another MetaTrader version (MT5) by March 2023.

Initial Access: using JPEG images as lures

During our analysis of the spearphishing campaign on the forex trading forums, we uncovered a considerable number of posts by Water Hydra in both the English and Russian languages. Often, these posts would reply to general forex or stock trading questions regarding the technical analysis of trading charts and included a link to a stock chart as a lure.

However, instead of the expected stock chart, these posts linked back to an HTM/HTML landing page hosted on a compromised Russian language forex, stock, and cryptocurrency news site hosted on WordPress with a landing page showing a second malicious link. This lure, disguised as a link to a JPEG file, points to a WebDAV share. Many of the accounts we uncovered posting links to the malicious fxbulls[.]ru site were years old, indicating that DarkMe may have compromised legitimate user accounts on trading forums as part of its campaign.

The landing page on fxbulls[.]ru contains a link to a malicious WebDAV share with a filtered crafted view. When users click on this link, the browser will ask them to open the link in Windows Explorer. This is not a security prompt, so the user might not think that this link is malicious.

Figure 6 shows the JPEG trojan horse linking back to a WebDAV share using Windows Advanced Query Syntax (AQS).

Initial Access: using PDF files as lures

As the Water Hydra campaign progressed, we noticed a shift to an additional lure in the form of a PDF file. These internet shortcuts disguised as PDF files have the same functionality as the JPEG lure that bootstraps the infection process. These PDF lures are also served from the compromised fxbulls[.]ru domain. These PDF lures can be delivered via phishing emails in the form of fake financial contracts.

Initial Access: using the search: protocol to customize the Windows Explorer window

In this campaign, Water Hydra employs an interesting technique to lure victims into clicking a malicious Internet Shortcut (.url) file. This TTP abuses the Microsoft Windows search: Application Protocol, which is distinct from the more common ms-search protocol. The search: protocol, which has been a part of Windows since Vista, invokes the Windows desktop search application. During the infection chain, Water Hydra uses the search: protocol with crafted Advanced Query Syntax (AQS) queries to customize the appearance of the Windows Explorer view in order to trick victims.

Figure 8 shows the HTML containing the malicious search: URL. Note the following characteristics of the URL:

•        It uses the search: application protocol search to perform a search for photo_2023-12-29.jpg.
•        It uses the crumb parameter to constrain the scope of the search to the malicious WebDAV share.
•        It uses the DisplayName element to deceive users into thinking that this is the local Downloads folder.

After clicking the link shown in Figure 8, we can see how the Windows Explorer view is presented to the victim (Figure 8). By using a combination of search protocols, AQS queries, and the DisplayName element, the Water Hydra operators can trick users into believing that the file from the malicious WebDAV server has been downloaded, tricking them into clicking this malicious file (a fake JPEG image). This Explorer window is a carefully crafted view of a malicious .url file named photo_2023-12-29.jpg.url. Microsoft Windows automatically hides the .url extension, making it appear from the filename that the file is a JPEG image.

Execution: exploiting CVE-2024-21412 (ZDI-CAN-23100) to bypass Microsoft Defender SmartScreen

CVE-2024-21412 revolves around internet shortcuts. These .url files are simple INI configuration files that take a “URL=” parameter pointing to a URL. While the .url file format is not officially documented, the URL parameter is the only one required for this file type.

During our analysis of this malicious .url file, we also noticed that Water Hydra used the imagress.dll (Windows Image Resource) icon library to change the default internet shortcut file to the image icon using the IconFile= and IconIndex= parameters to further deceive users and add legitimacy to the trojan horse internet shortcut. Through a simple double-click of this internet shortcut disguised as a JPEG, the Water Hydra operators can bypass Microsoft Defender SmartScreen by exploiting CVE-2024-21412 and fully compromise the Windows host.

While analyzing the CVE-2024-21412-infected internet shortcut file, we noticed something unusual. The URL= parameter of the photo_2023-12-29.jpg.url file pointed to another internet shortcut file hosted on a server with a dotted quad address (IPv4).

During our analysis of the malicious WebDAV share, we were able to obtain all the Water Hydra artifacts, including the referenced 2.url internet shortcut. Following this reference trail, we discovered that the 2.url contained the logic to exploit the previously patched Microsoft Defender SmartScreen bypass identified as CVE-2023-36025. During our recent research, we delved into a campaign targeting this CVE.

It’s highly unusual to reference an internet shortcut within another internet shortcut. Because of this anomalous behavior, we created a proof-of-concept (PoC) to perform further testing and analysis. During this PoC testing, ZDI discovered that the initial shortcut (which referenced the second shortcut) managed to bypass the patch that addressed CVE-2023-36025, evading SmartScreen protections. Through the analysis and testing of an internal PoC, we concluded that calling a shortcut within another shortcut was sufficient to evade SmartScreen, which failed to properly apply Mark-of-the-Web (MotW), a critical Windows component that alerts users when opening or running files from an untrusted source. After our analysis, we contacted Microsoft MSRC to alert them about an active SmartScreen zero-day being exploited in the wild and provided them with our proof-of-concept exploit.

By crafting the Windows Explorer view, Water Hydra is able to entice victims into clicking on an exploit for CVE-2024-21412, which in turn executes code from an untrusted source, relying on Windows being unable to apply MotW correctly and resulting in a lack of SmartScreen protections. The infection chain simply runs in the background and the infected user has no knowledge of this.

After bypassing SmartScreen, the second 2.url shortcut runs a batch file embedded in a ZIP file from the attacker’s WebDAV share. This batch script copies and executes a DarkMe dynamic-link library (DLL) loader from the malicious WebDAV share. It’s alarming that this entire sequence runs without the user’s knowledge and SmartScreen protections. The end user is given little to no indication that anything is afoot.

In Figure 14, Sysinternals Process Explorer displays the malicious batch file’s execution. This batch file is the first script to be ran after the exploitation of CVE-2024-21412 results in the bypassing of SmartScreen protections.

The screenshot in Figure 15 shows the numerous requests made to the Water Hydra WebDAV share. In WebDAV we can observe several Property Find (PROPFIND) requests to retrieve XML-stored properties from the WebDAV server.

The following snippet shows the kb.txt registry file content:

Finally, to run the payload, the loader executes the following command to invoke the registered COM class:

“C:WindowsSysWOW64rundll32.exe” /sta {74A94F46-4FC5-4426-857B-FCE9D9286279}

The C&C domain is encrypted using RC4 and stored in a VB.Form TextBox named Text2022. The malware decrypts it using a hardcoded key, “noway123!$$#@35@!”.

The malware then registers the victim’s system with its C&C server by gathering information such as the computer name, username, installed antivirus software, and the title of the active window.

The following is an example of the initial network traffic the malware sends to register victims:

To check the connection with the C&C server, the malware periodically sends a heartbeat packet. The malware sets up a separate timer called Timer3 with an interval of “5555 milliseconds” for this task. Figure 26 shows an example of this traffic (some variants of DarkMe send a different value):

Once the malware registers its victim, it then initiates a listener for incoming TCP connections, waiting to receive commands from the attacker. Once a command is received, the malware parses and executes it on the infected system. The malware supports a wide range of functionalities. The supported commands would allow malware to Enumerate directory content (STRFLS, STRFL2), execute shell commands (SHLEXE), create and delete directories, retrieve system drive information (300100), and generate a ZIP file from given path (ZIPALO), among others.

Conclusion

Zero-day attacks represent a significant security risk to organizations, as these attacks exploit vulnerabilities that are unknown to software vendors and have no corresponding security patches. APT groups such as Water Hydra possess the technical knowledge and tools to discover and exploit zero-day vulnerabilities in advanced campaigns, deploying highly destructive malware such as DarkMe.

In a previous campaign, Water Hydra exploited CVE-2023-38831 months before organizations could defend themselves. After disclosure, CVE-2023-38831 was subsequently deployed in other campaigns by other APT groups. ZDI has noticed several alarming trends in zero-day abuse. First, there exists a trend where zero-days found by cybercrime groups make their way into attack chains deployed by nation-state APT groups such as APT28 (FROZENLAKE), APT29 (Cozy Bear), APT40, Dark Pink, Ghostwriter, Konni, Sandworm and more. These groups employ these exploits to launch sophisticated attacks, thereby exacerbating risks to organizations. Second, the simple bypass of CVE-2023-36025 by CVE-2024-21412 highlights a broader industry trend when it comes to security patches that show how APT threat actors can easily circumvent narrow patches by identifying new vectors of attack around a patched software component.

To make software more secure and protect customers from zero-day attacks, the Trend Zero Day Initiative works with security researchers and vendors to patch and responsibly disclose software vulnerabilities before APT groups can deploy them in attacks. The ZDI Threat Hunting team also proactively hunts for zero-day attacks in the wild to safeguard the industry.

Organizations can protect themselves from these kinds of attacks with Trend Vision One™️, which enables security teams to continuously identify attack surfaces, including known, unknown, managed, and unmanaged cyber assets. Vision One helps organizations prioritize and address potential risks, including vulnerabilities. It considers critical factors such as the likelihood and impact of potential attacks and offers a range of prevention, detection, and response capabilities. This is all backed by advanced threat research, intelligence, and AI, which helps reduce the time taken to detect, respond, and remediate issues. Ultimately, Vision One can help improve the overall security posture and effectiveness of an organization, including against zero-day attacks.

When faced with uncertain intrusions, behaviors, and routines, organizations should assume that their system is already compromised or breached and work to immediately isolate affected data or toolchains. With a broader perspective and rapid response, organizations can address breaches and protect its remaining systems, especially with technologies such as  Trend Micro Endpoint Security and Trend Micro Network Security, as well as comprehensive security solutions such as Trend Micro™ XDR, which can detect, scan, and block malicious content across the modern threat landscape.

Epilogue

During our investigation into CVE-2024-21412 and Water Hydra we began tracking additional threat actor activity around this zero-day. In particular, the DarkGate malware operators began incorporating this exploit into their infection chains. We will be providing additional information and analysis on threat actors that have exploited CVE-2024-21412 in a future blog entry. Trend Micro customers are protected from these additional campaigns via virtual patches for ZDI-CAN-23100.

Trend Protections

The following protections exist to detect and protect Trend customers against the zero-day CVE-2024-21412 (ZDI-CAN-23100) and the DarkMe Malware Payload.

Trend Vision One Model

• Potential Exploitation of Microsoft SmartScreen Detected (ZDI-CAN-23100)
• Exploitation of Microsoft SmartScreen Detected (CVE-2024-21412)
• Suspicious Activities Over WebDav

Trend Vision One Threat Hunting Queries

(productCode:sds OR productCode:pds OR productCode:xes OR productCode:sao) AND eventId:1 AND eventSubId:2 AND objectCmd:”rundll32.exe” AND objectCmd:/fxbulls/ AND ( objectCmd:.url OR objectCmd:.cmd)

(productCode:sds OR productCode:pds OR productCode:xes OR productCode:sao) AND eventId:1 AND eventSubId:2 AND objectCmd:”rundll32.exe” AND objectCmd:/underwall/ AND ( objectCmd:.url OR objectCmd:.cmd)

eventId:”100101″ AND (request:”*84.32.189.74*” OR request:”87iavv.com”)

eventId:3 AND (src:”84.32.189.74*” OR dst:”84.32.189.74*”)

productCode:(pdi OR xns OR pds OR sds OR stp OR ptp OR xcs) AND (eventId:(100115 OR 100119) OR eventName:INTRUSION_DETECTION) AND (src:”84.32.189.74*” OR dst:”84.32.189.74*”)

Trend Micro Cloud One – Network Security & TippingPoint Filters

• 43700 – HTTP: Microsoft Windows Internet Shortcut SmartScreen Bypass Vulnerability
• 43701 – ZDI-CAN-23100: Zero Day Initiative Vulnerability (Microsoft Windows SmartScreen)
• 43266 – TCP: Backdoor.Win32.DarkMe.A Runtime Detection

Trend Vision One Network Sensor and Trend Micro Deep Discovery Inspector (DDI) Rule

• 4983: CVE-2024-21412 – Microsoft Windows SmartScreen Exploit – HTTP(Response)

• 1011949 – Microsoft Windows Internet Shortcut SmartScreen Bypass Vulnerability (CVE-2024-21412) 
• 1011950 – Microsoft Windows Internet Shortcut SmartScreen Bypass Vulnerability Over SMB (CVE-2024-21412)
• 1011119 – Disallow Download Of Restricted File Formats (ATT&CK T1105)
• 1004294 – Identified Microsoft Windows Shortcut File Over WebDav
• 1005269 – Identified Download Of DLL File Over WebDav (ATT&CK T1574.002)
• 1006014 – Identified Microsoft BAT And CMD Files Over WebDav

Indicators of Compromise

The indicators of compromise for this entry can be found here.

Acknowledgments

The Zero Day Initiative would like to thank the following Trenders for their contributions in ensuring that Trend Micro customers were protected from this zero-day attack pre-patching:

Scott Graham, Mohamad Mokbel, Abdelrahman Esmail, Simon Dulude, Senthil Nathan Sankar, Amit Kumar, and a special thanks to the content writers and marketing teams for helping with this research.

We would like to thank the Microsoft Security Response Center (MSRC) team for their continued collaboration and their efforts in deploying a patch in a timely manner.