A now-patched security flaw in Microsoft Defender SmartScreen has been exploited in a new campaign aimed at delivering information stealers such as ACR Stealer, Lumma, and Meduza.
Fortinet FortiGuard Labs detected the stealer campaign targeting Spain, Thailand, and the U.S. using booby-trapped files that exploit CVE-2024-21412 (CVSS score: 8.1).
The high-severity vulnerability allows attackers to bypass SmartScreen protection and drop malicious payloads. Microsoft addressed this issue in its February 2024 security updates.
“Initially, attackers lure victims into clicking a crafted link to a URL file designed to download an LNK file,” said security researcher Cara Lin. “The LNK file then downloads an executable file containing an HTML Application (HTA) script.”
The HTA file serves as a conduit to decode and decrypt PowerShell code responsible for fetching a decoy PDF file and a shellcode injector, which then deploys either Meduza Stealer or Hijack Loader, subsequently launching ACR Stealer or Lumma.
ACR Stealer, considered an evolved version of GrMsk Stealer, was advertised in late March 2024 by a threat actor named SheldIO on the Russian-language underground forum RAMP.
“This ACR stealer hides its command-and-control (C2) with a dead drop resolver (DDR) technique on the Steam community website,” Lin said, highlighting its ability to siphon information from web browsers, crypto wallets, messaging apps, FTP clients, email clients, VPN services, and password managers.
Recent Lumma Stealer attacks have also utilized the same technique, making it easier for adversaries to change C2 domains at any time and render the infrastructure more resilient, according to the AhnLab Security Intelligence Center (ASEC).
CrowdStrike has revealed that threat actors are leveraging last week’s outage to distribute a previously undocumented information stealer called Daolpu, following the faulty update that crippled millions of Windows devices.
The attack involves a macro-laced Microsoft Word document masquerading as a Microsoft recovery manual with legitimate instructions issued by the Windows maker to resolve the issue, leveraging it as a decoy to activate the infection process.
The DOCM file, when opened, runs the macro to retrieve a second-stage DLL file from a remote server that decodes to launch Daolpu, a stealer malware designed to harvest credentials and cookies from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based browsers.
New stealer malware families such as Braodo and DeerStealer have also emerged, with cyber criminals exploiting malvertising techniques promoting legitimate software like Microsoft Teams to deploy Atomic Stealer.
“As cyber criminals ramp up their distribution campaigns, it becomes more dangerous to download applications via search engines,” said Malwarebytes researcher Jérôme Segura. “Users must navigate between malvertising (sponsored results) and SEO poisoning (compromised websites).”