Cybercriminals Continue Exploiting Microsoft SmartScreen Vulnerability in Global Infostealing Campaigns

July 24, 2024

Cybercriminals are exploiting a vulnerability in Microsoft Defender SmartScreen, CVE-2024-21412, in an ongoing global infostealing campaign. The bug, which was patched in February, is still being utilized in attacks, posing a risk to organizations that are not up-to-date with standard Windows patching.

The vulnerability has been used in campaigns involving notorious infostealers like Lumma Stealer, Water Hydra, and DarkGate. Recently, Fortinet identified another campaign involving two additional stealers: Meduza and ACR. These attacks have been observed in various countries, including the US, Spain, and Thailand.

Aamir Lakhani, a global security strategist and researcher at Fortinet, expressed concern over the continued exploitation of this vulnerability. He stated, "The attackers in this case are taking advantage of software that's native on Microsoft Windows, which would be updated in normal Microsoft patch cycles." He further added that the failure to patch these vulnerabilities could indicate other unpatched Microsoft vulnerabilities.

The SmartScreen tool is designed to warn users about potentially unsafe websites, files, or programs. However, the CVE-2024-21412 vulnerability allows attackers to disable these notifications. In the latest campaign, attackers are bypassing SmartScreen using a combination of PowerShell tricks and hiding attacks in images.

The attackers first lure victims with a URL that triggers the download of a shortcut (LNK) file. This file downloads an executable with an HTML Application (HTA) script with Powershell code, which retrieves decoy PDF files and malicious code injectors. One of these injectors, after running anti-debugging checks, downloads a JPG image file, then uses a Windows API to access its pixels and decode its bytes, where the malicious code lies.

The infostealers smuggled in through these image files are then planted inside legitimate Windows processes, initiating the data gathering and exfiltration process. The kinds of data targeted are wide-ranging, with ACR stealing from multiple browsers, crypto wallets, messenger apps, password managers, VPN apps, email clients, and FTP clients.

The vulnerability poses a risk only to organizations that are significantly behind on standard Windows patching. Lakhani noted, "most organizations have regular Microsoft software patch updates, and this particular vulnerability remains open to attack." To promote better patching practices, he suggests that software vendors should alert users about critical security patches and encourage their installation when the software is launched or used.

Related News

• DarkGate Malware Upgrades: Shifts from AutoIt to AutoHotkey in Recent Cyber Attacks
• Microsoft Addresses Two Exploited Zero-Days in April 2024 Patch Tuesday
• Microsoft's Record-Breaking Patch Tuesday: 147 New CVEs, No Zero-Days, but an Active Exploit
• DarkGate Malware Campaign Exploits Recently Patched Microsoft Vulnerability in Zero-Day Attack
• CISA Adds Two Microsoft Windows Bugs to Its Known Exploited Vulnerabilities Catalog

Latest News

• Chinese APT Group Daggerfly Enhances Its Malware Arsenal
• CISA Adds Two More Vulnerabilities to its Exploited Flaws Catalog
• Ukrainian Research Institution Targeted by HATVIBE and CHERRYSPY Malware
• CISA Updates Known Exploited Vulnerabilities Catalog with Adobe, SolarWinds, and VMware Bugs
• Critical Vulnerability in Cisco's Security Email Gateway Patched