CVE-2024-29988

What is Windows SmartScreen?

Windows SmartScreen is a security feature that protects users from running unrecognized or potentially malicious files downloaded from the internet. When a file carries a Mark of the Web (MotW) — a hidden NTFS alternate data stream tag applied to files downloaded from the internet — Windows SmartScreen checks the file's reputation before allowing execution and shows a warning dialog to the user. SmartScreen is the primary defense against phishing-delivered malware for Windows users who execute downloaded files; bypassing it allows arbitrary files to execute without any security warning.

Overview

CVE-2024-29988 is a zero-day SmartScreen security feature bypass vulnerability that allows an attacker to bypass Mark of the Web (MotW) protections, enabling files to execute without SmartScreen warnings. It was exploited by the Water Hydra APT (also known as DarkCasino) as part of a chain targeting financial traders: CVE-2024-21412 (internet shortcut bypass, February 2024) → CVE-2024-29988 (SmartScreen prompt bypass, April 2024) to silently deliver the DarkMe remote access trojan. The CISA KEV addition on April 30, 2024 confirms active exploitation.

Affected Versions

Technical Details

CWE-693 (Protection Mechanism Failure). SmartScreen's enforcement of MotW depends on properly reading the Zone.Identifier alternate data stream that marks a file as internet-origin. CVE-2024-29988 exploits a gap in how SmartScreen handles files opened in certain contexts — when a file is opened with specific command-line arguments or through certain shell mechanisms, the SmartScreen prompt is suppressed even though the MotW tag is present. An attacker chains this with CVE-2024-21412 (which bypasses MotW propagation to shortcut-delivered files) to create a complete silent execution chain.

The exploitation chain used by Water Hydra:

1. CVE-2024-21412 — Deliver a .url internet shortcut file that bypasses MotW propagation, referencing a remotely-hosted .zip
2. Inside the .zip, embed a second shortcut or executable
3. CVE-2024-29988 — When the victim executes the file, suppress the SmartScreen prompt through the bypass
4. DarkMe RAT executes silently

Discovery

Discovered in the context of Water Hydra's campaign targeting forex trading communities and financial sector users. The chain was documented by Trend Micro ZDI researchers who tracked the campaign through January–February 2024. The April patch addressed a residual bypass that Water Hydra continued using after the February CVE-2024-21412 patch.

Exploitation Context

Water Hydra (DarkCasino) is a financially motivated threat actor targeting financial traders through high-quality lures distributed on trading forums, Telegram channels, and social media. Their campaigns specifically target forex traders with promises of trading signals or analysis tools, exploiting SmartScreen bypasses because financial traders routinely download and execute third-party trading software and scripts. The DarkMe RAT provides persistent access for credential theft and financial account takeover.

Remediation

1. Apply the April 2024 Windows security updates (Patch Tuesday, April 9, 2024).
2. Also verify the February 2024 Patch Tuesday update (for CVE-2024-21412) is applied — both vulnerabilities were used in the same chain.
3. Enable Attack Surface Reduction (ASR) rules that block executable content from email and web downloads.
4. Train users to treat any SmartScreen bypass as a serious red flag — legitimate software does not require disabling security warnings.
5. Deploy application allowlisting (Windows Defender Application Control / AppLocker) to prevent execution of arbitrary downloaded binaries.