Trend Micro’s Zero Day Initiative (ZDI) has detailed a recently patched zero-day vulnerability that cybercriminals have exploited to bypass Windows protections.
The flaw, tracked as CVE-2024-38213 and named Copy2Pwn by ZDI, was fixed by Microsoft in June 2024, but it was only disclosed when the tech giant released the August 2024 Patch Tuesday updates. It was one of the six zero-days disclosed with this round of updates.
ZDI’s threat hunting team discovered CVE-2024-38213 during its analysis into attacks conducted as part of a campaign named DarkGate by a threat group tracked as Water Hydra and DarkCasino.
This threat actor had previously exploited a zero-day tracked as CVE-2024-21412 to bypass Windows protections in attacks aimed at financial market traders.
According to Microsoft, the newly patched vulnerability, CVE-2024-38213, can be exploited to bypass Defender SmartScreen, which protects Windows users against phishing, malware and other potentially malicious files downloaded from the internet.
The Copy2Pwn flaw is related to how files coming from WebDAV shares are handled during copy/paste operations.
WebDAV, which stands for Web-based Distributed Authoring and Versioning, extends HTTP functionality, including with authoring, sharing and versioning. Users can host files on WebDAV shares that are accessible through a web browser or through Windows Explorer.
When a Windows user downloads a file from the web, that file gets assigned the Mark-of-the-Web (MotW), which triggers additional security checks before the file is opened, including Defender SmartScreen and Office Protected View.
Cybercriminals noticed that files copied and pasted from WebDAV shares did not get the MotW.
“This meant that users might copy and paste files from a WebDAV share to their desktop, and those files could subsequently be opened without the protections of Windows Defender SmartScreen or Microsoft Office Protected View. In particular, this means that there would be no reputation or signature checks on executables,” ZDI explained.
Related: Zero-Click Exploit Concerns Drive Urgent Patching of Windows TCP/IP Flaw
Related: Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks
Related: APT Exploits Windows Zero-Day to Execute Code via Disabled Internet Explorer
