A now-patched safety flaw within the Microsoft Defender SmartScreen has been exploited as a part of a brand new marketing campaign designed to ship info stealers equivalent to ACR Stealer, Lumma, and Meduza.
Fortinet FortiGuard Labs mentioned it detected the stealer marketing campaign focusing on Spain, Thailand, and the U.S. utilizing booby-trapped recordsdata that exploit CVE-2024-21412 (CVSS rating: 8.1).
The high-severity vulnerability permits an attacker to sidestep SmartScreen safety and drop malicious payloads. Microsoft addressed this concern as a part of its month-to-month safety updates launched in February 2024.
“Initially, attackers lure victims into clicking a crafted hyperlink to a URL file designed to obtain an LNK file,” safety researcher Cara Lin mentioned. “The LNK file then downloads an executable file containing an [HTML Application] script.”
The HTA file serves as a conduit to decode and decrypt PowerShell code accountable for fetching a decoy PDF file and a shellcode injector that, in flip, both results in the deployment of Meduza Stealer or Hijack Loader, which subsequently launches ACR Stealer or Lumma.
ACR Stealer, assessed to be an developed model of the GrMsk Stealer, was marketed in late March 2024 by a menace actor named SheldIO on the Russian-language underground discussion board RAMP.
“This ACR stealer hides its [command-and-control] with a useless drop resolver (DDR) method on the Steam neighborhood web site,” Lin mentioned, calling out its means to siphon info from net browsers, crypto wallets, messaging apps, FTP purchasers, electronic mail purchasers, VPN companies, and password managers.
It is value noting that current Lumma Stealer assaults have additionally been noticed using the identical method, making it simpler for the adversaries to vary the C2 domains at any time and render the infrastructure extra resilient, in accordance to the AhnLab Safety Intelligence Middle (ASEC).
The disclosure comes as CrowdStrike has revealed that menace actors are leveraging final week’s outage to distribute a beforehand undocumented info stealer referred to as Daolpu, making it the newest instance of the ongoing fallout stemming from the defective replace that has crippled thousands and thousands of Home windows gadgets.
The assault includes using a macro-laced Microsoft Phrase doc that masquerades as a Microsoft restoration guide itemizing reliable directions issued by the Home windows maker to resolve the difficulty, leveraging it as a decoy to activate the an infection course of.
The DOCM file, when opened, runs the macro to retrieve a second-stage DLL file from a distant that is decoded to launch Daolpu, a stealer malware outfitted to reap credentials and cookies from Google Chrome, Microsoft Edge, Mozilla Firefox, and different Chromium-based browsers.
It additionally follows the emergence of new stealer malware households equivalent to Braodo and DeerStealer, whilst cyber criminals are exploiting malvertising strategies selling reliable software program equivalent to Microsoft Groups to deploy Atomic Stealer.
“As cyber criminals ramp up their distribution campaigns, it turns into extra harmful to obtain functions through engines like google,” Malwarebytes researcher Jérôme Segura mentioned. “Customers should navigate between malvertising (sponsored outcomes) and search engine optimisation poisoning (compromised web sites).”
