A now-fixed security flaw in Microsoft Defender SmartScreen was exploited as part of a new campaign designed to deliver information-stealing malware, including ACR Stealer, Lumma and Meduza.
Fortinet FortiGuard Labs announced that it has detected a stealer attack campaign targeting Spain, Thailand, and the United States using booby-trapped files exploiting CVE-2024-21412 (CVSS score: 8.1).
This high severity vulnerability could allow attackers to bypass SmartScreen protections and drop malicious payloads. Microsoft addressed the issue as part of monthly security updates released in February 2024.
“First, attackers lure victims into clicking on a crafted link to a URL file designed to download a LNK file,” security researcher Cara Lin said. “The LNK file then downloads an executable file that contains an (HTML application) script.”
The HTA file acts as a conduit to decode and decrypt the PowerShell code that retrieves the decoy PDF file and shellcode injector, which in turn deploys the Meduza Stealer or Hijack Loader, which then launches ACR Stealer or Lumma.
ACR Stealer, which is assessed to be an evolution of the GrMsk Stealer, was promoted in late March 2024 on the Russian-language underground forum RAMP by a threat actor named SheldIO.
“This ACR stealer uses Dead Drop Resolver (DDR) techniques to hide (command and control) on the Steam community website,” Lin said, noting that it is capable of stealing information from web browsers, cryptocurrency wallets, messaging apps, FTP clients, email clients, VPN services and password managers.
It is worth noting that the same technique has also been observed to be utilized in recent Lumma Stealer attacks, making it easier for attackers to change C2 domains at any time and make their infrastructure more resilient, according to the AhnLab Security Intelligence Center (ASEC).
The disclosure comes after CrowdStrike revealed that threat actors were using last week’s outage to distribute previously undocumented information-stealing malware called Daolpu, the latest example of the ongoing damage resulting from a flawed update that crippled millions of Windows devices.
The attack involves the use of a Microsoft Word document containing a macro that is disguised as a Microsoft Recovery Manual with legitimate instructions from the Windows manufacturer to resolve the issue, and is used as a decoy to start the infection process.
Once the DOCM file is opened, a macro is executed which remotely retrieves a second stage DLL file which is decoded and launches Daolpu, a stealing malware capable of harvesting credentials and cookies from Google Chrome, Microsoft Edge, Mozilla Firefox and other Chromium-based browsers.
Additionally, new stealer malware families such as Braodo and DeerStealer have emerged, while cybercriminals are deploying Atomic Stealers using malvertising tactics advertising legitimate software such as Microsoft Teams.
“Downloading applications via search engines is becoming more risky as cybercriminals step up their distribution campaigns,” said Jerome Segura, a researcher at Malwarebytes. “Users have to navigate between malvertising (sponsored search results) and SEO poisoning (compromised websites).”
