CVE-2024-21412

What are Windows Internet Shortcut Files?

Windows Internet Shortcut files (.url extension) are a special type of shortcut file that stores a URL rather than a file path. When opened, Windows passes the URL to the default browser or the appropriate protocol handler. Internet shortcut files are a common phishing delivery mechanism because they can trigger network requests, invoke protocol handlers, and be disguised with document-type icons. When downloaded from the internet, .url files should receive a Mark of the Web (MotW) NTFS alternate data stream tag that causes Windows SmartScreen to warn before the shortcut's target is opened. CVE-2024-21412 exploits a gap in how MotW is applied to shortcut targets.

Overview

CVE-2024-21412 is a zero-day security feature bypass vulnerability in Windows internet shortcut file handling that allows an attacker to craft a .url shortcut whose target does not receive the Mark of the Web tag, bypassing SmartScreen protection when the target is opened. Trend Micro ZDI discovered Water Hydra (DarkCasino) exploiting it in the wild in January 2024; Microsoft patched it in February 2024 Patch Tuesday with same-day CISA KEV addition. Multiple subsequent SmartScreen bypasses (CVE-2024-21351, CVE-2024-29988) were needed to close related gaps as attackers continued to chain shortcut-based bypasses.

Affected Versions

Technical Details

CWE-693 (Protection Mechanism Failure). Windows applies the Mark of the Web alternate data stream to files downloaded from the internet, marking them as internet-origin so that SmartScreen can enforce reputation checks before execution. For internet shortcut files, Windows must also apply MotW to the target of the shortcut — not just the .url file itself — to protect against execution of internet-sourced content through the shortcut.

CVE-2024-21412 exploits a specific shortcut-within-shortcut nesting technique: a .url file on a WebDAV share or UNC path references a second shortcut. When Windows follows the shortcut chain, the MotW propagation logic fails to apply the internet-zone tag to the final target, causing SmartScreen to treat it as a local or trusted file and skip the reputation check. The attacker's payload (typically a malicious executable) executes without any SmartScreen warning.

Water Hydra's complete chain:

1. Phishing link → victim downloads .url shortcut
2. .url references a nested shortcut on attacker WebDAV → MotW not propagated via CVE-2024-21412
3. Nested shortcut links to DarkMe RAT executable → executes without SmartScreen warning
4. DarkMe RAT establishes persistent backdoor for financial credential theft

Discovery

Discovered by Trend Micro's Zero Day Initiative (ZDI) researchers who observed Water Hydra exploiting the technique in campaigns targeting forex trading communities in January 2024. Trend Micro reported to Microsoft on January 17, 2024 — 27 days before the patch — and published their analysis simultaneously with the patch release.

Exploitation Context

CVE-2024-21412 anchored a sustained SmartScreen bypass campaign by Water Hydra that spanned several months and multiple patching cycles. After this vulnerability was patched, Water Hydra adopted CVE-2024-21351 (February) and later CVE-2024-29988 (April) to continue their bypass chain — demonstrating the attackers' sustained investment in MotW/SmartScreen evasion as a delivery mechanism for financial targeting.

The ransomwareUse: true designation reflects that shortcut-based MotW bypass techniques (the class to which CVE-2024-21412 belongs) have been adopted by ransomware delivery operations beyond Water Hydra.

Remediation

1. Apply the February 2024 Windows security updates (Patch Tuesday, February 13, 2024).
2. Also apply the April 2024 update for CVE-2024-29988 to close related bypass gaps.
3. Block .url and .lnk shortcut files at email gateways and web proxies — users should not receive internet shortcut files from external sources.
4. Enable ASR rule "Block Win32 API calls from Office macro" and related rules that reduce macro-based bypass vectors.
5. Consider Group Policy to restrict the protocol handlers that .url files can invoke, limiting them to https:// and blocking file://, UNC, and WebDAV-based shortcuts.