A recently patched security vulnerability in Microsoft Defender’s SmartScreen has been exploited in a new cyber campaign targeting sensitive information. This campaign has been linked to the distribution of information stealers known as ACR Stealer, Lumma, and Meduza. Researchers from Fortinet FortiGuard Labs report that these attacks are occurring predominantly in Spain, Thailand, and the United States, utilizing corrupt files to exploit the critical vulnerability identified as CVE-2024-21412, which carries a CVSS score of 8.1.
The vulnerability enables malicious actors to bypass SmartScreen protection, facilitating the delivery of harmful payloads. Microsoft addressed this serious flaw in its February 2024 security updates. The exploitation process begins with attackers attempting to entice victims into clicking a malicious link that directs them to a tailored URL for downloading an LNK file. This LNK file subsequently launches an executable file that contains an HTML Application (HTA) script.
This HTA script plays a pivotal role in decoding and decrypting PowerShell code, which is responsible for retrieving a decoy PDF and a shellcode injector. The injector may ultimately lead to the activation of Meduza Stealer or Hijack Loader, which, in turn, can deploy ACR Stealer or Lumma. ACR Stealer, an advanced version of the GrMsk Stealer, was promoted by a threat actor certain to be known as SheldIO on the Russian-speaking underground forum RAMP in late March 2024.
Research indicates that ACR Stealer utilizes a dead drop resolver (DDR) technique on the Steam community website to conceal its command-and-control infrastructure. This stealer is adept at extracting data from web browsers, cryptocurrency wallets, messaging applications, FTP clients, email services, VPN solutions, and password managers. There are also reports of Lumma Stealer leveraging similar techniques, which enhances the adversaries’ ability to rapidly change their command-and-control domains, increasing the resilience of their operations.
This notification aligns with a broader trend highlighted by CrowdStrike, which uncovered that malicious actors are capitalizing on disruptions within cybersecurity systems to disseminate previously uncharted information-stealing malware labeled Daolpu. The incident represents one of many stemming from a faulty update that negatively impacted millions of Windows devices. In these attacks, cybercriminals deploy Microsoft Word documents embedded with macros posing as genuine Microsoft recovery instructions.
When the compromised DOCM file is opened, it activates a macro that retrieves a further DLL file from a remote location. This DLL is designed to release Daolpu, a stealer malware capable of harvesting credentials and cookies from various popular web browsers.
The emergence of new malware variants such as Braodo and DeerStealer accentuates the ongoing challenge posed by cybercriminals who are increasingly using malvertising techniques to promote legitimate software, including Microsoft Teams, as a vehicle for deploying threats like Atomic Stealer. According to Malwarebytes researcher Jérôme Segura, this environment creates significant risk for users, who must navigate a landscape rife with distracting malvertising and compromised websites.
In the context of the original attacks involving SmartScreen exploitation, relevant tactics from the MITRE ATT&CK framework include initial access, where attackers gained footholds via crafted links; command and control, where the malicious payload communicated with external servers; and the use of credential dumping techniques as the information stealers harvest sensitive data from compromised systems. Understanding these methodologies can aid business leaders in fortifying their cybersecurity defenses against such evolving threats.