A recently patched security vulnerability in Microsoft Defender SmartScreen has been actively exploited in a sophisticated campaign designed to deliver a range of information stealers, including ACR Stealer, Lumma, and Meduza.
The campaign, observed by FortiGuard Labs, leverages the flaw (CVE-2024-21412) to download malicious executable files. This is a security restrictions bypass issue that allows attackers to bypass SmartScreen protection and deliver malicious payloads. Microsoft addressed this vulnerability in its February 2024 monthly security updates.
The attackers initiate the process by enticing victims to click on a crafted link to a URL file, which then downloads an LNK file. This LNK file subsequently downloads an executable containing an HTML Application (HTA) script.
Once executed, the script decodes and decrypts PowerShell code to fetch the final URLs, decoy PDF files, and a malicious shellcode injector. The final stealer is then injected into legitimate processes, initiating malicious activities and sending the stolen data to a command-and-control (C2) server.
FortiGuard Labs has detected this campaign targeting users in North America, Spain, and Thailand. The threat actors have developed different injectors to evade detection and utilize various PDF files to specifically target these regions, the company said.