A security flaw in the Microsoft Defender SmartScreen that has now been patched was exploited in a new campaign to deliver information stealers like ACR Stealer, Lumma, and Meduza.
The stealer campaign targeted Spain, Thailand, and the U.S. using files that exploit CVE-2024-21412 with a high severity.
The vulnerability allowed attackers to bypass SmartScreen protection and drop malicious payloads. Microsoft fixed this issue in its February 2024 security updates.
“Attackers lure victims by clicking a link to a URL file to download an LNK file,” security researcher Cara Lin explained. “The LNK file downloads an executable file with an [HTML Application] script.”
The HTA file decodes and decrypts PowerShell code to fetch a decoy PDF file and a shellcode injector that leads to the deployment of Meduza Stealer or Hijack Loader, which then launches ACR Stealer or Lumma.
ACR Stealer, identified as an evolved version of GrMsk Stealer, can steal information from various sources.
Lumma Stealer attacks have also been observed using similar techniques, making it easier for adversaries to change C2 domains and make the infrastructure more resilient, according to the AhnLab Security Intelligence Center.
CrowdStrike has revealed that threat actors are distributing a previously undocumented information stealer Daolpu in the aftermath of a recent outage, leveraging a macro-laced Microsoft Word document masquerading as a recovery manual to activate the infection process.
The DOCM file runs the macro to retrieve a DLL file to launch Daolpu, which harvests credentials and cookies from browsers.
New stealer malware families like Braodo and DeerStealer are emerging, while cyber criminals are using malvertising techniques to deploy Atomic Stealer.
“Downloading applications via search engines has become more dangerous as cyber criminals increase their distribution campaigns,” Malwarebytes researcher Jérôme Segura noted.
