Microsoft Patches Two Zero-Days for Malware Delivery
The largest batch of Patch Tuesday updates released by Microsoft since at least 2017 addresses two zero-day vulnerabilities that have been exploited to deliver malware.
Microsoft’s Patch Tuesday updates for April 2024 fix roughly 150 vulnerabilities, including two Windows flaws that appear to have been exploited in the wild.
One of them is CVE-2024-26234, which Microsoft has described as an important-severity proxy driver spoofing vulnerability.
Sophos, which reported the issue to Microsoft back in December 2023, became aware of malicious attacks after receiving a report for an alleged false positive detection on an executable file signed with a valid Windows Hardware Compatibility Program (WHCP) certificate.
Further analysis revealed that it was in fact a malicious backdoor file apparently associated with an Android screen mirroring application named LaiXi. The app is described as marketing software that can be used to “connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting to grow your audience”.
Sophos’ investigation showed that the malicious file embeds a very small freeware proxy server that researchers believe is used to monitor and intercept network traffic on infected systems.
The certificate used to sign the file analyzed by Sophos was requested by a company named Hainan YouHu Technology Co. Ltd, which is listed as the developer of LaiXi.
“We have no evidence to suggest that the LaiXi developers deliberately embedded the malicious file into their product, or that a threat actor conducted a supply chain attack to insert it into the compilation/building process of the LaiXi application,” Sophis explained.
It added, “However, we will note that given the links between LaiXi and the malicious backdoor we investigated […] users should exercise extreme caution when it comes to downloading, installing, and using LaiXi.”
Cybersecurity firm Stairwell published its own analysis of the LaiXi application and the malicious files back in January.
Microsoft addressed the issue with the latest Patch Tuesday updates by adding the relevant files to its driver revocation list.
While Microsoft’s advisory does confirm CVE-2024-26234 as being exploited in the wild, the tech giant’s advisory for the second vulnerability that appears to have been exploited, CVE-2024-29988, does not mention anything about malicious exploitation.
According to Trend Micro’s Zero Day Initiative, CVE-2024-29988 is a SmartScreen prompt security feature bypass that has been observed as being exploited in the wild.
CVE-2024-29988 can be used to bypass the Mark of the Web (MotW) security feature. ZDI’s Peter Girnus, who has been credited by Microsoft for reporting the vulnerability, said the flaw was found during research into a campaign conducted by the threat group Water Hydra (DarkCasino).
The Water Hydra attacks involved exploitation of CVE-2024-21412, which is similar to CVE-2024-29988. CVE-2024-21412 had been leveraged to bypass Microsoft Defender SmartScreen and deliver a piece of malware named DarkMe to financial market traders.