CVE-2024-21351

What is Windows SmartScreen?

Windows SmartScreen is a cloud-based reputation and phishing protection service built into Windows. When a user attempts to run a downloaded executable or script, SmartScreen checks the file against Microsoft's reputation database and, if the file is unfamiliar or suspicious, displays a warning asking the user to confirm before execution. SmartScreen also enforces Mark of the Web (MotW) by checking internet-sourced files for safety. Bypassing SmartScreen removes this warning, allowing malicious files to execute without any security prompt — dramatically increasing the effectiveness of phishing-delivered malware.

Overview

CVE-2024-21351 is a zero-day SmartScreen bypass vulnerability that allows an attacker to inject code into SmartScreen's execution context, bypassing the user-visible warning and enabling potential code execution. Microsoft and CISA disclosed it simultaneously as a zero-day on February 13, 2024, confirming active exploitation. It was used by the Water Hydra APT (DarkCasino) in February 2024 campaigns targeting financial traders, chained with CVE-2024-21412 (internet shortcut MotW bypass) to create a complete silent execution chain delivering the DarkMe remote access trojan.

Affected Versions

Technical Details

CWE-94 (Code Injection). The SmartScreen component, when evaluating a file for safety, processes file content in a way that allows an attacker to inject code into SmartScreen's evaluation process. The injected code executes in SmartScreen's context and can suppress the warning dialog — causing SmartScreen to report the file as safe and allow execution without user confirmation.

The chain used by Water Hydra:

1. CVE-2024-21412 — Craft a .url internet shortcut that bypasses MotW propagation when the shortcut references a network share. The linked file does not inherit the internet zone MotW tag.
2. CVE-2024-21351 — When SmartScreen evaluates the linked file, inject code to bypass the warning prompt.
3. DarkMe RAT executes silently on the victim's system.

The Availability: Low and Confidentiality: Low in the CVSS score reflects that the primary impact is integrity (arbitrary code execution through the bypass) rather than direct data access or system crash — though secondary post-exploitation consequences are much broader.

Discovery

Discovered through Water Hydra campaign analysis by Trend Micro ZDI researchers who observed the SmartScreen bypass being used in targeted attacks against financial traders in January–February 2024. The same-day Microsoft Patch Tuesday + CISA KEV addition confirms zero-day status.

Exploitation Context

Water Hydra (DarkCasino) targets forex and cryptocurrency traders with phishing lures distributed on trading communities, financial forums, and via direct outreach. The use of two simultaneous SmartScreen/MotW bypasses (CVE-2024-21412 + CVE-2024-21351) reflects sophisticated, pre-researched capability — the attackers likely tested their chain against fully-patched Windows versions before deploying it. The target population (traders with financial account access) makes each successful infection high-value for credential theft and financial fraud.

Remediation

1. Apply the February 2024 Windows security updates (Patch Tuesday, February 13, 2024).
2. Enable and enforce Windows Defender SmartScreen in the most restrictive mode available via Group Policy.
3. Deploy Attack Surface Reduction (ASR) rules to block executable content from email and web downloads.
4. Consider application allowlisting (Windows Defender Application Control) to prevent execution of unsigned or unknown binaries regardless of SmartScreen state.
5. Train users to recognize that legitimate software does not require bypassing SmartScreen or overriding security warnings.