Hackers are exploiting vulnerabilities in Microsoft SmartScreen, a cloud-based security feature designed to protect users from malicious websites and downloads. The vulnerability, tracked as CVE-2024-21412, was discovered by the Zero Day Initiative in January 2024 and patched by Microsoft in February. Despite the patch, groups like Water Hydra are still using the flaw to bypass SmartScreen and deploy malware such as DarkMe RAT via internet shortcuts.
The attack begins with the delivery of fake software installers through spam emails. These shortcuts, hosted on WebDAV shares, exploit the vulnerability to bypass SmartScreen protections and initiate a multi-step attack. This process involves PowerShell and JavaScript scripts to ultimately deploy information-stealing malware like Lumma and Meduza Stealer on the victim’s device.
The sophisticated attack chain includes using malicious links and files disguised as legitimate documents from various entities, such as tax agencies and government departments. Techniques like DLL side-loading and IDAT loader exploitation are used to distribute the malware, which is then injected into system processes like explorer.exe.
To mitigate such threats, experts recommend verifying email links, using advanced email filtering, and keeping software up-to-date. Additionally, implementing application whitelisting and network segmentation can help protect against evolving cyber threats and enhance overall security.
