As I'm exploring the topics of software development and the latest technical news regularly, I decided to look deeper at the previous week’s news regarding a vulnerability exploit. More specifically is about CVE-2024-21412 - a zero-day vulnerability in Microsoft Defender SmartScreen, exploited by group Water Hydra. The group is active since 2021 and is linked to attacking financial institutions globally. It seems, to my understanding that the infection is for months and is a complex ongoing process. 

Microsoft Defender has a main scope to protect users from malware-infected websites, phishing attacks, and potentially harmful downloads.

In this malicious activity, an attacker will target traders, maybe trying to access financial data or manipulate trading systems, tactics or actions. People should take precautions, like disabling SmartScreen temporarily, until Microsoft issues a patch. I will not even pretend to understand a quarter of the analysis, but I did my best to explain it to myself and consequently, share it here, in a more digestible format as part of our weekly tech dose Publish0x article.

In cooperation with Microsoft Trend Micro announced the zero-day attack and facilitated a rapid patch. Water Hydra patterns exhibit high technical skills, adding even activities like exploit undisclosed zero-day vulnerabilities (such as CVE-2023-38831).

The group's attack chain has evolved, with recent deployments showing an ongoing infection process since late January 2024.

• attackers possibly hint at forex and stock traders by using spearphishing on trading forums and Telegram channels. (I never like Telegram...friends got scammed via Telegram, while good interactions and learning about projects always came to me via Discord, so maybe that was the main reason why I avoided Telegram since 2017. Now, also this)

• used social engineering techniques: fake financial tools, advice all followed by links which lead to trap website, such as fxbulls[.].ru. Is of note that such sites have a similar name to the original broker website that one would normally access as part fo their day-to-day trades

• once the link is accessed it will 'gift' one a trojan horse stock charts or fake JPEG links that resend to WebDAV shares. Again, nothing suspicious about the landing page as it looks authentic

• the illusion of SAFETY is being served to the users as soon as they CLICk the links ---> the browser will ask to open the dangerous links in a Windows explore, thus creating a fake feeling of trustworthiness and safe

 Continuing, are next important and complex elements part of luring:

• referencing an internet shortcut within another shortcut, thus allowing an escape from SmartScreen protect, bypass the patch and so a zero-day exploit
• SmartScreen's failure to apply Mark-of-the-Web (MotW) correctly so infection proceeds discreetly making users unware of the background activity (WebDAV share, execution of DarkMe DLLs, delivery of Remote Access Trojan
• DLL file written in Visual Basic
• the malware command line includes junk code to make the reading complicated and adding difficulty to reverse engineering, by hiding so its true purpose
• the used communication from C&C server is a custom TCP protocol which when executed gathers info like username, modules, libraries, installed antivirus, server name, active window --> so making possible its registration with the attacker's command and control server

 Source: analysis published by Trend Micro including the streamlined infection process, available here

I will continue following this subject as it is of interest and helps me during the current learning path. To conclude, I guess the advice is to never click on things that seem too good to be true, pay attention to image icons, link descriptions and read well the names of sites we open during browsing, maybe consider using Safari. Also use telegram with caution. 

All the best