Priya Patel
TLDR:
- A security flaw in Microsoft Defender SmartScreen has been exploited to deliver ACR, Lumma, and Meduza stealers.
- The flaw allows attackers to sidestep SmartScreen protection to drop malicious payloads.
A now-patched security flaw in the Microsoft Defender SmartScreen has been exploited as part of a new campaign designed to deliver information stealers such as ACR Stealer, Lumma, and Meduza. Fortinet FortiGuard Labs detected the stealer campaign targeting Spain, Thailand, and the U.S. using booby-trapped files that exploit a high-severity vulnerability (CVE-2024-21412) that allows an attacker to avoid SmartScreen protection.
Microsoft addressed this issue in its monthly security updates released in February 2024. The attackers lure victims into clicking a crafted link to a URL file, which then downloads an executable file containing an HTML Application script. This script serves as a conduit to decode and decrypt PowerShell code responsible for fetching malicious payloads like Meduza Stealer or Hijack Loader, leading to the deployment of ACR Stealer or Lumma.
ACR Stealer and Lumma Stealer have been observed using similar techniques, making it easier for adversaries to change their command-and-control domains and render the infrastructure more resilient. This exploitation comes as CrowdStrike reveals threat actors leveraging a recent Windows outage to distribute a new information stealer called Daolpu.
As attackers ramp up their distribution campaigns, it becomes more dangerous to download applications via search engines due to the prevalence of malvertising and SEO poisoning. Users are advised to exercise caution when downloading software and stay informed about emerging threats in the cybersecurity landscape.
