Reading Time: 3 Minutes

In a recent security development, Microsoft has responded to an active threat by patching a zero-day vulnerability in Windows Defender SmartScreen, which was exploited by a financially motivated threat group to distribute the DarkMe remote access trojan (RAT).

The threat actors, identified as Water Hydra and DarkCasino, were observed leveraging the zero-day (CVE-2024-21412) in attacks targeting foreign exchange traders on New Year’s Eve, according to insights from Trend Micro security researchers.

Describing the vulnerability, Microsoft stated in a security advisory that an unauthenticated attacker could exploit it by sending a specially crafted file to the targeted user, bypassing displayed security checks. However, the attacker relies on social engineering to persuade users to interact with the malicious file.

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Security researcher Peter Girnus, credited with reporting the zero-day, revealed that CVE-2024-21412 bypasses another Windows Defender SmartScreen vulnerability (CVE-2023-36025), which was patched during the November 2023 Patch Tuesday.

Targeting Forex Traders

The attackers’ modus operandi involved spearphishing campaigns aimed at forex traders, particularly those engaged in high-stakes currency trading. Exploiting the zero-day, they targeted trading forums and stock trading Telegram channels, enticing victims with malicious stock charts linking to compromised trading information sites.

Trend Micro’s investigation revealed that Water Hydra utilized similar tactics and procedures observed in previous campaigns, exploiting internet shortcuts and WebDAV components to evade SmartScreen protections effectively.