Cyberattackers have been exploiting a critical security bypass vulnerability in Microsoft Defender SmartScreen to launch a stealer campaign targeting organizations with outdated Windows patching.

Description

Threat actors [1] [6], including Water Hydra [5] [7], Lumma Stealer [1] [4] [5] [7], and Meduza Stealer [1] [3] [7], are using specially crafted internet shortcut files to deliver malicious executables onto victims’ systems by bypassing SmartScreen warnings. Victims are lured into clicking on crafted links to URL files, which then download LNK files that in turn download executable files containing HTA scripts [1]. These scripts decode and decrypt PowerShell code to retrieve decoy PDF files [1] [8], shell code injectors [1] [7] [8], and final stealers like Meduza Stealer version 2.9 [7]. The injected stealers target a variety of applications, including web browsers, crypto wallets [5] [6], messengers [5] [6] [8], email clients [6] [8], VPN services [6] [8], password managers [6] [8], AnyDesk [6], and MySQL Workbench [6]. Stolen information from various applications is transmitted through a dead drop resolver on the Steam community website. It is crucial for organizations to stay up to date on Windows patching and for software vendors to promptly alert users about critical security patches to mitigate the risk of infostealing attacks. The vulnerability, with a severity score of 8.1 [3], has been exploited since mid-February [3], with Microsoft patching it on February 13, 2024 [3]. The campaigns now use ARC Stealer [3], Lumma [1] [2] [3] [4] [5] [7] [8], and Meduza infostealers to steal sensitive data [3], with ACR Stealer utilizing a dead drop resolver technique. Lumma Stealer attacks have also utilized this technique to enhance infrastructure resilience [4]. Users are advised not to open email attachments from untrusted sources to prevent exploitation of this vulnerability.

Conclusion

Organizations must prioritize staying up to date on Windows patching and software vendors must promptly alert users about critical security patches to prevent infostealing attacks. The use of ARC Stealer, Lumma [1] [2] [3] [4] [5] [7] [8], and Meduza infostealers highlights the evolving tactics of cyberattackers, emphasizing the need for constant vigilance and proactive security measures to protect sensitive data.

References

[1] https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed
[2] https://thehackernews.com/2024/07/microsoft-defender-flaw-exploited-to.html
[3] https://www.techradar.com/pro/security/microsoft-defender-flaws-attacked-to-spread-dangerous-malware
[4] https://www.cloudways.com/blog/microsoft-defender-flaw-exploited-to-deliver-acr-lumma-and-meduza-stealers/
[5] https://www.darkreading.com/vulnerabilities-threats/cyberattackers-exploit-microsoft-smartscreen-bug-in-stealer-campaign
[6] https://www.csoonline.com/article/3477067/microsoft-defender-smartscreen-bug-actively-used-in-stealer-campaign.html
[7] https://cybersecuritynews.com/windows-smartscreen-vulnerability/
[8] https://www.tomshardware.com/tech-industry/cyber-security/patched-microsoft-defender-flaw-still-being-used-to-deliver-information-stealing-malware-to-vulnerable-machines