A now-patched safety flaw within the Microsoft Defender SmartScreen has been exploited as a part of a brand new marketing campaign designed to ship data stealers reminiscent of ACR Stealer, Lumma, and Meduza.
Fortinet FortiGuard Labs mentioned it detected the stealer marketing campaign focused on Spain, Thailand, and the U.S. the use of booby-trapped information that exploit CVE-2024-21412 (CVSS ranking: 8.1).
The high-severity vulnerability permits an attacker to sidestep SmartScreen coverage and drop malicious payloads. Microsoft addressed this factor as a part of its per 30 days safety updates launched in February 2024.
“First of all, attackers entice sufferers into clicking a crafted hyperlink to a URL record designed to obtain an LNK record,” safety researcher Cara Lin mentioned. “The LNK record then downloads an executable record containing an [HTML Application] script.”
The HTA record serves as a conduit to decode and decrypt PowerShell code liable for fetching a decoy PDF record and a shellcode injector that, in flip, both ends up in the deployment of Meduza Stealer or Hijack Loader, which due to this fact launches ACR Stealer or Lumma.
ACR Stealer, assessed to be an advanced model of the GrMsk Stealer, was once marketed in past due March 2024 through a risk actor named SheldIO at the Russian-language underground discussion board RAMP.
“This ACR stealer hides its [command-and-control] with a lifeless drop resolver (DDR) method at the Steam neighborhood web site,” Lin mentioned, calling out its talent to siphon data from internet browsers, crypto wallets, messaging apps, FTP purchasers, e-mail purchasers, VPN products and services, and password managers.
It is price noting that fresh Lumma Stealer assaults have additionally been noticed using the similar method, making it more straightforward for the adversaries to modify the C2 domain names at any time and render the infrastructure extra resilient, consistent with the AhnLab Safety Intelligence Middle (ASEC).
The disclosure comes as CrowdStrike has printed that risk actors are leveraging final week’s outage to distribute a in the past undocumented data stealer referred to as Daolpu, making it the most recent instance of the continuing fallout stemming from the misguided replace that has crippled tens of millions of Home windows gadgets.
The assault comes to using a macro-laced Microsoft Phrase report that masquerades as a Microsoft restoration handbook record legit directions issued through the Home windows maker to unravel the problem, leveraging it as a decoy to turn on the an infection procedure.
The DOCM record, when opened, runs the macro to retrieve a second-stage DLL record from a far flung that is decoded to release Daolpu, a stealer malware provided to reap credentials and cookies from Google Chrome, Microsoft Edge, Mozilla Firefox, and different Chromium-based browsers.
It additionally follows the emergence of recent stealer malware households reminiscent of Braodo and DeerStealer, whilst cyber criminals are exploiting malvertising ways selling legit instrument reminiscent of Microsoft Groups to deploy Atomic Stealer.
“As cyber criminals ramp up their distribution campaigns, it turns into extra unhealthy to obtain packages by means of engines like google,” Malwarebytes researcher Jérôme Segura mentioned. “Customers must navigate between malvertising (subsidized effects) and search engine marketing poisoning (compromised internet sites).”