DarkMe Targets Traders with Microsoft SmartScreen Zero-Day

Financial traders need to be alert to the DarkMe malware of Water Hydra. The software can exploit Microsoft's Defender SmartScreen's zero-day vulnerability to attack computers. MiniTool software reminds you not to click on unfamiliar links at will and keep the system updated.

DarkMe malware exploits Microsoft SmartScreen zero-day vulnerability to target financial traders

Trend Micro Zero Day Project discovered vulnerability CVE-2024-21412 (tracked as ZDI-CAN-23100) and has alerted Microsoft. This malware is a complex zero-day attack chain orchestrated by Advanced Persistent Threat (APT) organization Water Hydra (also known as DarkCasino), which targets financial market traders to attack using a way to bypass Microsoft’s Defender SmartScreen.

Starting in late December 2023, Trend Micro's monitoring efforts have detected activities initiated by the Water Hydra organization leveraging similar tools, policies, and procedures (TTPs), including leveraging Internet shortcuts (.URLs) and WebDAV components. The attacker leverages CVE-2024-21412 to bypass Microsoft's Defender SmartScreen in this attack sequence and deploys the DarkMe malware to the victim's system.

What is a Water Hydra APT organization?

The Water Hydra organization, first discovered in 2021, quickly gained fame for its focus on finance, launching attacks on banks, cryptocurrency platforms, forex and stock trading platforms, gambling websites and casinos around the world.

Initially, the organization's activities were attributed to the Evilnum APT organizations because they used similar phishing techniques and other strategies, techniques and procedures (TTP). However, in September 2022, researchers at NSFOCUS discovered a visual Basic Remote Access Tool (RAT) called DarkMe in an event called DarkCasino, which is specifically targeted at European traders and gambling platforms.

By November 2023, after several consecutive activities (including the campaign to attack stock traders using the well-known WinRAR code execution vulnerability CVE-2023-38831), the characteristics of Water Hydra as a separate APT organization different from Evilnum became clear.

You can find more information in this blog: CVE-2024-21412: Water Hydra exploits Microsoft Defender SmartScreen zero-day vulnerability to attack traders.

How to protect your device from DarkMe malware?

To avoid DarkMe malware attacks, you can do the following:

Don't open unfamiliar links

Microsoft addressed the vulnerability in its February patch Tuesday update and warned malicious actors that could bypass established security measures by sending carefully crafted files to target recipients.

However, in order for the attack to succeed, the receiver must click on the file link and access the content controlled by the attacker.

According to Trend Micro's analysis, the infection process involves deploying a malicious installer file named 7z.msi using CVE-2024-21412.

This happens when the receiver interacts with a malicious link ( fxbulls[.]ru ) (usually distributed through a forex trading forum).

The URL disguised as a stock chart image link will actually direct the user to an internet shortcut file named ( photo_2023-12-29.jpg.url ).

Therefore, to protect your device from DarkMe malware, you should not click to open any suspicious links.

Keep Windows System Updated

Microsoft continues to release Windows updates that always contain fixes and Windows security updates for discovered vulnerabilities. To ensure your computer is safe, you should install the latest Windows updates (if available).

• In Windows 10, you can go to Start > Settings > Updates and Security to check for updates and install available updates.
• In Windows 11, you can go to Start > Settings > Windows Update to check for updates and install available updates.

Additionally, you can enable automatic updates on your Windows computer.

Using anti-virus software

Anti-virus software is also a necessary condition to avoid DarkMe malware and various other malware threats. For example, you'd better enable all necessary protection features in Windows Security Center. In addition, you can also install third-party antivirus software such as Bitdefender Antivirus, Norton AntiVirus, and McAfee AntiVirus.

How to protect your data and systems on your computer?

Data backup

You can use Windows backup software to back up files and systems on your computer. Windows has built-in tools such as file history and system restore to help you with backups.

If you want to use third-party backup software, you can try MiniTool ShadowMaker. This backup utility can back up files, folders, partitions, disks, and systems to any Windows detected storage device.

Data recovery

If you want to recover deleted or lost files, you can try MiniTool Power Data Recovery. This data recovery tool can recover files from hard drives, SSDs, USB flash drives, memory cards, etc.

Now you know what steps you can do to deal with DarkMe malware. Be careful when browsing the Internet.

The above is the detailed content of DarkMe Targets Traders with Microsoft SmartScreen Zero-Day. For more information, please follow other related articles on the PHP Chinese website!