Today, Microsoft revealed that a Mark of the Web security bypass vulnerability exploited by attackers as a zero-day to bypass SmartScreen protection was patched during the June 2024 Patch Tuesday.
SmartScreen is a security feature introduced with Windows 8 that protects users against potentially malicious software when opening downloaded files tagged with a Mark of the Web (MotW) label.
While the vulnerability (tracked as CVE-2024-38213) can be exploited remotely by unauthenticated threat actors in low-complexity attacks, it requires user interaction, making successful exploitation harder to achieve.
“An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience. An attacker must send the user a malicious file and convince them to open it,” Redmond explains in a security advisory published on Tuesday.
Despite the increased difficulty in exploiting it, Trend Micro security researcher Peter Girnus discovered that the vulnerability was being exploited in the wild in March. Girnus reported the attacks to Microsoft, who patched the flaw during the June 2024 Patch Tuesday. However, the company forgot to include the advisory with that month’s security updates (or with July’s).
“In March 2024, Trend Micro’s Zero Day Initiative Threat Hunting team started analyzing samples connected to the activity carried out by DarkGate operators to infect users through copy-and-paste operations,” ZDI’s Head of Threat Awareness Dustin Childs told BleepingComputer today.
“This DarkGate campaign was an update from a previous campaign in which the DarkGate operators were exploiting a zero-day vulnerability, CVE-2024-21412, which we disclosed to Microsoft earlier this year.”
Windows SmartScreen abused in malware attacks
In the March attacks, DarkGate malware operators exploited this Windows SmartScreen bypass (CVE-2024-21412) to deploy malicious payloads camouflaged as installers for Apple iTunes, Notion, NVIDIA, and other legitimate software.
While investigating the March campaign, Trend Micro’s researchers also looked into SmartScreen abuse in attacks and how files from WebDAV shares were handled during copy-and-paste operations.
“As a result, we discovered and reported CVE-2024-38213 to Microsoft, which they patched in June. This exploit, which we’ve named copy2pwn, results in a file from a WebDAV being copied locally without Mark-of-the-Web protections,” Childs added.
CVE-2024-21412 was itself a bypass for another Defender SmartScreen vulnerability tracked as CVE-2023-36025, exploited as a zero-day to deploy Phemedrone malware and patched during the November 2023 Patch Tuesday.
Since the start of the year, the financially motivated Water Hydra (aka DarkCasino) hacking group has also exploited CVE-2024-21412 to target stock trading Telegram channels and forex trading forums with the DarkMe remote access trojan (RAT) on New Year’s Eve.
Childs also told BleepingComputer in April that the same cybercrime gang exploited CVE-2024-29988 (another SmartScreen flaw and a CVE-2024-21412 bypass) in February malware attacks.
Furthermore, as Elastic Security Labs discovered, a design flaw in Windows Smart App Control and SmartScreen enabling attackers to launch programs without triggering security warnings has also been exploited in attacks since at least 2018. Elastic Security Labs reported these findings to Microsoft and was told that this issue “may be fixed” in a future Windows update.
