A recently patched vulnerability in Microsoft Defender SmartScreen, identified as CVE-2024-21412, has been exploited by cybercriminals to distribute a range of information-stealing malware, including ACR Stealer, Lumma, and Meduza. This high-severity flaw, with a CVSS score of 8.1, allowed attackers to bypass SmartScreen protections and deliver malicious payloads onto targeted systems. Detected by Fortinet FortiGuard Labs, the campaign has primarily targeted users in Spain, Thailand, and the United States, leveraging the SmartScreen flaw to sidestep security measures.
The attack begins with phishing schemes designed to deceive victims into clicking on crafted links that lead to URL files. These links download malicious LNK files, which in turn execute HTML Application (HTA) scripts embedded in the files. The HTA scripts are used to decode and decrypt PowerShell code, which then fetches a decoy PDF and a shellcode injector. This series of actions ultimately deploys either Meduza Stealer or Hijack Loader, which then installs ACR Stealer or Lumma. These malware families are capable of exfiltrating sensitive data from a variety of applications, including web browsers, cryptocurrency wallets, messaging apps, FTP clients, email clients, VPN services, and password managers.
ACR Stealer, an advanced variant of the GrMsk Stealer, was publicly advertised in late March 2024 by the threat actor known as SheldIO on the Russian-language underground forum RAMP. This stealer employs a dead drop resolver (DDR) technique, utilizing the Steam community website to hide its command-and-control infrastructure. This technique makes it challenging for security defenses to detect and disrupt its operations. Lumma Stealer similarly employs flexible C2 domain changes to maintain resilience and evade detection, making it harder for defenders to track and mitigate its impact.
The exploitation of this vulnerability underscores a troubling trend in the cybersecurity landscape, where cybercriminals are increasingly adept at leveraging software vulnerabilities and employing sophisticated deceptive techniques. The campaign highlights how attackers are using various methods, including malvertising and SEO poisoning, to spread malware. This approach is evident in the rise of new stealer families like Braodo and DeerStealer, and the use of legitimate software promotions, such as Microsoft Teams, to deploy malware like Atomic Stealer.
Reference:
