CVE-2024-21412 | SmartScreen
| Vulnerability | CVE-2024-21412 |
|---|---|
| Description | CVE-2024-21412 is a zero-day vulnerability in Microsoft Windows SmartScreen that is actively exploited by DarkGate malware operators. This flaw allows attackers to bypass SmartScreen, a security feature designed to warn users about potentially malicious or untrusted files. By exploiting this vulnerability, attackers can execute malicious files without triggering security warnings, facilitating the distribution of malware such as ransomware, trojans, and remote access tools. |
| Affected Systems | Microsoft Windows systems with vulnerable versions of SmartScreen enabled. |
| Attack Vector | Remote: The attacker uses phishing emails, malicious links, or compromised websites to deliver files that exploit the SmartScreen bypass vulnerability. Once delivered, these files execute without triggering SmartScreen warnings. |
| Exploitation Techniques | - In-The-Wild exploit leverages .url files, which are treated as Internet Shortcuts by Windows. These .url files are crafted with the URL= parameter pointing to malicious resources hosted on a WebDAV server.- Victims are tricked into interacting with seemingly legitimate files that redirect to malicious resources, bypassing SmartScreen by exploiting its inability to validate certain file formats properly. - Through social engineering, the attacker embeds the payload in directories designed to mimic trusted folders, enticing users to click on these shortcuts. - These malicious .url files utilize Advanced Query Syntax (AQS) and the search: protocol to disguise the execution path and evade detection. |
| The Impact of the Bug | - Users are tricked into executing untrusted files without warnings, leading to system compromise. - Malware can bypass SmartScreen protections, increasing the likelihood of successful infections with ransomware, data stealers, or backdoors. - Significant risks to data confidentiality, integrity, and availability in enterprise and personal systems. |
| How to detect infections | - Certificate Checks: Detect files with invalid, revoked, or tampered certificates. - EDR Solutions: Use endpoint detection and response tools to identify and block malicious behaviors linked to known malware families such as DarkGate. |
| Mitigation Steps | - Apply security patches provided by Microsoft to address CVE-2024-21412. - Educate users about phishing campaigns and ensure caution when opening links or files from unknown sources. - Enable advanced security measures such as application whitelisting, sandboxing, or endpoint protection solutions. - Regularly monitor and update certificates used by your organization to prevent misuse. |
| Workarounds | - Configure application whitelisting to allow only trusted applications to execute. |
| IOCs | - Exploits have been observed in active DarkGate malware campaigns targeting Windows systems 18D87C514FF25F817EAC613C5F2AD39B21B6E04B6DA6DBE8291F04549DA2C290 3706CD2883BAA6E9EA31962E6118BDB6609237912C567148FE2A16904BDA7256 FB3D83A155D8C24CCFC953800A7D147311FE1DEC14F7CFDB2B1F4815676111F0 BB111DDFEBEA4F314060C665E2B5F58FC2C3478C2C3FE03198D72A23AC546473 5075BDF160C4BE0802402DE6ADA4B8B6C6D36D3D31848D96E3C7A57D893DC3B6 80B22764A857512DA9BF80D39B92B4C8A4CB258E55806EABF84C01127ED6C06D 9C30732E6D23A7B81FEE0037DD8CA089B6FF5E5EAA9E41F2978B52DBC55EF165 FD654D05A7124BFCCD117BA172B7C75BF4A2DA6D37111F7F21C3B6D946BC7241 72FE2B9DA5B0F6A19C5C983857B92BBDFF4FFCA6261D0DC6A71B1BA3E84A6D6B CFE0D7D43B613DDF6E63D2DD414B96F505B958CDAFAE22031966703DF4B882D8 1E53CF4BC67D3E52DA57D035B7522B42B5C7E2C56DD2CDF308F2760858BEB8AE 2890222D2FDD14695E6DA012DD9267EB5F7F5F5258954560E6948203A5360A62 BAA8ED7251E9406D80072CA81023F16644650BEAA25EDC0082FA99AC28FB7ACB |
| References | - Trend Micro Blog - CVE-2024-21412 - GitHub Repository - CVE-2024-21412 Water-Hydra |