Cybercriminals are persistently looking to try and exploit a vulnerability in Microsoft Defender SmartScreen to deliver all kinds of malware and infostealers.
FortiGuard Labs has reported observing a new campaign targeting victims in Spain, Thailand, and the US looking to drop ARC Stealer, Lumma, and Meduza.
The flaw allows the attackers to bypass Windows Defender SmartScreen, a security feature integrated into Windows operating systems and designed to protect users from online threats.
Lumma and Meduza Stealer
“Initially, attackers lure victims into clicking a crafted link to a URL file designed to download an LNK file,” the researchers explained. “The LNK file then downloads an executable file containing an [HTML Application] script.”
The vulnerability that keeps getting exploited is tracked as CVE-2024-21412. It has a severity score of 8.1, and researchers have been warning of it since mid-February this year. Back then, experts from Trend Micro said they saw a threat actor called Water Hydra (DarkCasino) abusing the then-zero-day, to target crypto traders, on New Year’s Eve.
“We concluded that calling a shortcut within another shortcut was sufficient to evade SmartScreen, which failed to properly apply Mark-of-the-Web (MotW), a critical Windows component that alerts users when opening or running files from an untrusted source,” Trend Micro’s experts said at the time.
In early July 2024, researchers from Cyble also issued a warning that the flaw was used to deploy malware, and urged users to apply a fix immediately, as Microsoft had patched the flaw on February 13 2024.
While originally, the flaw was used to drop the DarkGate commodity loader, in the new campaigns, the crooks opted for ARC Stealer, Lumma, and Meduza. All are relatively popular infostealers, capable of grabbing sensitive files, login credentials, cryptocurrency wallet data, screenshots, and more.
Via The Hacker News