A now-patched security flaw within the Microsoft Defender SmartScreen has been exploited as a part of a brand new marketing campaign designed to ship data stealers similar to ACR Stealer, Lumma, and Meduza.
Fortinet FortiGuard Labs stated it detected the stealer marketing campaign focusing on Spain, Thailand, and the U.S. utilizing booby-trapped information that exploit CVE-2024-21412 (CVSS rating: 8.1).
The high-severity vulnerability permits an attacker to sidestep SmartScreen safety and drop malicious payloads. Microsoft addressed this situation as a part of its month-to-month security updates launched in February 2024.
“Initially, attackers lure victims into clicking a crafted hyperlink to a URL file designed to obtain an LNK file,” security researcher Cara Lin stated. “The LNK file then downloads an executable file containing an [HTML Application] script.”
The HTA file serves as a conduit to decode and decrypt PowerShell code chargeable for fetching a decoy PDF file and a shellcode injector that, in flip, both results in the deployment of Meduza Stealer or Hijack Loader, which subsequently launches ACR Stealer or Lumma.
ACR Stealer, assessed to be an advanced model of the GrMsk Stealer, was marketed in late March 2024 by a risk actor named SheldIO on the Russian-language underground discussion board RAMP.
“This ACR stealer hides its [command-and-control] with a lifeless drop resolver (DDR) approach on the Steam group web site,” Lin stated, calling out its means to siphon data from net browsers, crypto wallets, messaging apps, FTP purchasers, e mail purchasers, VPN providers, and password managers.
It is value noting that latest Lumma Stealer assaults have additionally been noticed using the identical approach, making it simpler for the adversaries to alter the C2 domains at any time and render the infrastructure extra resilient, in keeping with the AhnLab Safety Intelligence Middle (ASEC).
The disclosure comes as CrowdStrike has revealed that risk actors are leveraging final week’s outage to distribute a beforehand undocumented data stealer known as Daolpu, making it the most recent instance of the continuing fallout stemming from the defective replace that has crippled tens of millions of Home windows units.
The assault entails the usage of a macro-laced Microsoft Phrase doc that masquerades as a Microsoft restoration handbook itemizing reliable directions issued by the Home windows maker to resolve the difficulty, leveraging it as a decoy to activate the an infection course of.
The DOCM file, when opened, runs the macro to retrieve a second-stage DLL file from a distant that is decoded to launch Daolpu, a stealer malware geared up to reap credentials and cookies from Google Chrome, Microsoft Edge, Mozilla Firefox, and different Chromium-based browsers.
It additionally follows the emergence of recent stealer malware households similar to Braodo and DeerStealer, at the same time as cyber criminals are exploiting malvertising methods selling reliable software program similar to Microsoft Groups to deploy Atomic Stealer.
“As cyber criminals ramp up their distribution campaigns, it turns into extra harmful to obtain purposes by way of serps,” Malwarebytes researcher Jérôme Segura stated. “Customers need to navigate between malvertising (sponsored outcomes) and search engine optimization poisoning (compromised web sites).”
