A recently patched security vulnerability in Microsoft Defender SmartScreen has been exploited in a new campaign to distribute information stealers such as ACR Stealer, Lumma, and Meduza.
Fortinet FortiGuard Labs detected this stealer campaign targeting Spain, Thailand, and the U.S. The attackers used booby-trapped files to exploit CVE-2024-21412 (CVSS score: 8.1). This high-severity flaw allowed attackers to bypass SmartScreen protection and deploy malicious payloads. Microsoft addressed the issue in its February 2024 security updates.
“Attackers lure victims by making them click a crafted link to a URL file, which then downloads an LNK file,” explained security researcher Cara Lin. “The LNK file fetches an executable file containing an HTML Application (HTA) script.”
The HTA file decodes and decrypts PowerShell code, fetching a decoy PDF file and a shellcode injector. This leads to the deployment of Meduza Stealer or Hijack Loader, which subsequently launches ACR Stealer or Lumma.
ACR Stealer, an evolved version of the GrMsk Stealer, was advertised in March 2024 by a threat actor named ShieldIO on the Russian-language forum RAMP. This stealer uses a dead drop resolver (DDR) technique on the Steam community website, enabling it to siphon information from web browsers, crypto wallets, messaging apps, FTP clients, email clients, VPN services, and password managers.
Lumma Stealer attacks have also used this technique, making it easier for adversaries to change C2 domains and enhance infrastructure resilience, as noted by the AhnLab Security Intelligence Center (ASEC).
Microsoft Defender Flaw Exploited to Deliver ACR, Lumma, and Meduza Stealers: A now-patched security flaw in the Microsoft Defender SmartScreen has been exploited as part of a new campaign designed to deliver information stealers such as ACR Stealer,… https://t.co/TpImEu2b0g pic.twitter.com/hiLL1DJTEC
— Global Cyber Threat Intel (@cipherstorm) July 24, 2024
In related news, CrowdStrike revealed that threat actors exploited last week’s outage to distribute a previously undocumented information stealer called Daolpu. This malware uses a macro-laced Microsoft Word document disguised as a Microsoft recovery manual to activate the infection process.
Additionally, new stealer malware families such as Braodo and DeerStealer have emerged, while cybercriminals are using malvertising techniques to promote legitimate software like Microsoft Teams to deploy Atomic Stealer.
As cyber criminals intensify their distribution campaigns, it is increasingly perilous to download applications via search engines.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He’s also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.