Cybercriminals Continue Exploiting Microsoft SmartScreen Vulnerability in Global Infostealing Campaigns

July 24, 2024

Cybercriminals are exploiting a vulnerability in Microsoft Defender SmartScreen, CVE-2024-21412, in an ongoing global infostealing campaign. The bug, which was patched in February, is still being utilized in attacks, posing a risk to organizations that are not up-to-date with standard Windows patching.

The vulnerability has been used in campaigns involving notorious infostealers like Lumma Stealer, Water Hydra, and DarkGate. Recently, Fortinet identified another campaign involving two additional stealers: Meduza and ACR. These attacks have been observed in various countries, including the US, Spain, and Thailand.

Aamir Lakhani, a global security strategist and researcher at Fortinet, expressed concern over the continued exploitation of this vulnerability. He stated, "The attackers in this case are taking advantage of software that's native on Microsoft Windows, which would be updated in normal Microsoft patch cycles." He further added that the failure to patch these vulnerabilities could indicate other unpatched Microsoft vulnerabilities.

The SmartScreen tool is designed to warn users about potentially unsafe websites, files, or programs. However, the CVE-2024-21412 vulnerability allows attackers to disable these notifications. In the latest campaign, attackers are bypassing SmartScreen using a combination of PowerShell tricks and hiding attacks in images.

The attackers first lure victims with a URL that triggers the download of a shortcut (LNK) file. This file downloads an executable with an HTML Application (HTA) script with Powershell code, which retrieves decoy PDF files and malicious code injectors. One of these injectors, after running anti-debugging checks, downloads a JPG image file, then uses a Windows API to access its pixels and decode its bytes, where the malicious code lies.

The infostealers smuggled in through these image files are then planted inside legitimate Windows processes, initiating the data gathering and exfiltration process. The kinds of data targeted are wide-ranging, with ACR stealing from multiple browsers, crypto wallets, messenger apps, password managers, VPN apps, email clients, and FTP clients.

The vulnerability poses a risk only to organizations that are significantly behind on standard Windows patching. Lakhani noted, "most organizations have regular Microsoft software patch updates, and this particular vulnerability remains open to attack." To promote better patching practices, he suggests that software vendors should alert users about critical security patches and encourage their installation when the software is launched or used.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.