The content of the decrypted request is as follows:
1000|87|283|Yes|6.1.7|||”
Conclusion
In this research, a follow-up to our analysis of the Water Hydra APT Zero Day campaign, we investigated how DarkGate operators were able to exploit CVE-2024-21412 as a zero-day attack to deploy the complex evolving DarkGate malware. We also explored how security bypass vulnerabilities can be used in combination with open redirection in technologies such as the Google Ads ecosystem to spread malware and abuse the inherent trust organizations have in core web technologies.
To make software more secure and protect customers from zero-day attacks, the Trend Zero Day Initiative works with security researchers and vendors to patch and responsibly disclose software vulnerabilities before APT groups can use them in attacks. The ZDI Threat Hunting team also proactively hunts zero-day attacks in the wild to protect the industry.
Organizations can protect against such attacks with Trend Vision One, which enables security teams to continuously identify attack surfaces, including known, unknown, managed and unmanaged cyber assets. Vision One helps organizations prioritize and address potential risks, including vulnerabilities. It considers critical factors such as the likelihood and impact of potential attacks and offers a range of prevention, detection and response options. All this is supported by advanced threat research, intelligence and artificial intelligence, which helps reduce the time needed to detect, respond and fix problems. Ultimately, Trend Vision One can help improve an organization’s overall security posture and effectiveness, including against zero-day attacks.
When faced with uncertain intrusions, behaviors and routines, organizations should assume their system is already compromised or breached and work to immediately isolate affected data or toolchains. With a broader perspective and rapid response, organizations can address breaches and protect their remaining systems, especially with technologies such as Trend Micro™ Endpoint Security™ and Trend Micro Network Security, as well as comprehensive security solutions such as Trend Micro™ XDR, which can detect, scan and block malicious content in the modern threat landscape.
Protection trend
The following protections exist to detect and protect Trend customers from zero-day CVE-2024-21412 (ZDI-CAN-23100).
Trend Vision One model
- Microsoft SmartScreen Potential Exploit Discovered (ZDI-CAN-23100)
- Microsoft SmartScreen exploit discovered (CVE-2024-21412)
- Suspicious activity via WebDav
Trend Micro Cloud One – Network Security and TippingPoint Filters
- 43700 – HTTP: Microsoft Windows Internet Shortcut SmartScreen Bypass Vulnerability
- 43701 – ZDI-CAN-23100: Zero Day Initiative Vulnerability (Microsoft Windows SmartScreen)
Trend Vision One Network Sensor and Trend Micro Deep Discovery Inspector (DDI) rule
- 4983 – CVE-2024-21412: Microsoft Windows SmartScreen Exploitation – HTTP (Response)
Trend Vision One Endpoint Security, Trend Cloud One – Workload and Endpoint Security, Deep Security and Vulnerability Protection IPS Rules
- 1011949 – Microsoft Windows Internet Shortcut SmartScreen Bypass Vulnerability (CVE-2024-21412)
- 1011950 – Internet Shortcut Microsoft Windows Bypass SmartScreen Vulnerability via SMB (CVE-2024-21412)
- 1011119 – Disable download of restricted file formats (ATT&CK T1105)
- 1004294 – Identified Microsoft Windows shortcut file via WebDav
- 1005269 – Identified download of DLL file via WebDav (ATT&CK T1574.002)
- 1006014 – Identified Microsoft BAT and CMD files via WebDav
Indicators of Compromise (IOC)
Download the IOC list here.