Microsoft Defender Flaw Exploited to Deploy ACR, Lumma, and Meduza Stealers
Share
A recently patched security flaw in Microsoft Defender SmartScreen has been exploited to deliver malicious information stealers, including ACR Stealer, Lumma Stealer, and Meduza Stealer. This vulnerability, known as CVE-2024-21412 and rated with a CVSS score of 8.1, enables attackers to bypass SmartScreen protection and distribute harmful payloads. Microsoft resolved this high-severity vulnerability in its February 2024 security update.
Fortinet FortiGuard Labs identified the campaign targeting users in Spain, Thailand, and the U.S. The attackers use deceptive methods to lure victims into clicking on specially crafted URL files, which then download an LNK file. This LNK file further downloads an executable containing an HTML Application (HTA) script.
The HTA script decodes and decrypts PowerShell code that fetches a decoy PDF file and a shellcode injector. This sequence can lead to the deployment of Meduza Stealer or Hijack Loader, which then launches either ACR Stealer or Lumma Stealer.
ACR Stealer, an advanced iteration of the GrMsk Stealer, surfaced in March 2024 on the Russian underground forum RAMP, advertised by a threat actor named SheldIO. This stealer employs a dead drop resolver (DDR) technique on the Steam community website to obscure its command-and-control (C2) operations. It is capable of exfiltrating data from web browsers, cryptocurrency wallets, messaging apps, FTP clients, email clients, VPN services, and password managers.
The Lumma Stealer has been observed using similar techniques, allowing adversaries to frequently change C2 domains and fortify their infrastructure’s resilience, as reported by the AhnLab Security Intelligence Center (ASEC).
Moreover, CrowdStrike has reported that attackers are exploiting a recent service outage to spread a new information stealer named Daolpu. This attack involves a macro-laced Microsoft Word document that mimics a Microsoft recovery manual. When the DOCM file is opened, the macro retrieves a second-stage DLL file from a remote server, which is decoded to launch Daolpu. This malware targets credentials and cookies from browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox.
New stealer malware families such as Braodo and DeerStealer are also emerging, with cyber criminals using malvertising tactics to promote legitimate software like Microsoft Teams, ultimately deploying Atomic Stealer. Malwarebytes researcher Jérôme Segura highlighted the increasing risk of downloading applications via search engines, due to the prevalence of malvertising and SEO poisoning.