Medium
In late December 2023, researchers detected a campaign by the Water Hydra group using similar tools, tactics, and procedures (TTPs) involving internet shortcuts (.URL) and Web-based Distributed Authoring and Versioning (WebDAV). Exploiting CVE-2024-21412, they bypassed Microsoft Defender SmartScreen to distribute DarkMe malware. Water Hydra launched spearphishing attacks on forex and stock trading forums via social engineering on Telegram channels. They posted messages offering trading advice or fake financial tools with URLs leading to trojan horse stock charts on compromised Russian trading sites. These links redirected to an HTML landing page with a disguised JPEG link, which pointed to a WebDAV share. DarkMe, a VisualBasic-based trojan, evolved from a downloader to a spyware-capable stub-type trojan with communication through a public WinSock32 module, with multiple versions released since September 2021. The Trellix Threat Intelligence Group (TIG) gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Trend Micro and shared publicly https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html
Detection rate is the number of artifact detections reported by McAfee global sensors for this threat over 8 days.
The detection rate bubbles are sized based on the values below: