This article presents a detailed analysis of a stealer campaign exploiting CVE-2024-21412, a security bypass vulnerability in Microsoft Windows SmartScreen. The vulnerability enables remote attackers to bypass the SmartScreen security warning dialog, thereby facilitating the delivery of malicious files. Over the past year, notorious threat actors such as Water Hydra, Lumma Stealer, and Meduza Stealer have leveraged this vulnerability to execute various malicious campaigns.
Attack Methodology
The campaign begins with the attacker constructing a malicious link that leads to a URL file. Once the victim interacts with the link, it downloads an LNK file, which in turn fetches an executable file embedding an HTA script. This script decodes and decrypts PowerShell code, which subsequently downloads additional files, including a decoy PDF and a malicious shell code injector.
Stealer Deployment and Injector Techniques
The campaign employs two main types of shell code injectors:
-
Image-Based Injector: This injector downloads a seemingly harmless image file, from which it extracts shell code through pixel manipulation using the Windows API
GdipBitmapGetPixel. The shell code is then executed to download and deploy stealers such as HijackLoader, Lumma Stealer, and ACR Stealer. -
Straightforward Injector: This injector decrypts its code from the data section and uses a sequence of Windows API functions (like
NtCreateSectionandNtMapViewOfSection) to inject the shell code, ultimately deploying the Meduza Stealer.
Final Payloads
The attack culminates in the deployment of various stealer variants, including Meduza Stealer and ACR Stealer. These stealers are capable of exfiltrating sensitive data, including browser credentials, cryptocurrency wallets, FTP clients, email clients, and even specific Chrome extensions. The Meduza Stealer communicates with its C2 server via a panel, while the ACR Stealer uses a dead drop resolver technique, leveraging platforms like Steam to hide its C2 communications.
Mitigation Strategies
To counteract such sophisticated attack vectors, it is imperative for organizations to:
-
Educate Users: Users should be made aware of the risks associated with downloading and executing files from unverified sources.
-
Implement Robust Security Protocols: Proactive security measures, including advanced endpoint detection and response (EDR) systems, should be employed.
-
Regular Security Audits: Organizations should conduct frequent security audits and vulnerability assessments to identify and mitigate potential risks.
Conclusion
This stealer campaign underscores the evolving tactics employed by cybercriminals to bypass security measures and execute sophisticated attacks. Organizations must remain vigilant and adapt their cybersecurity strategies to address these advanced threats effectively.
Reference
Detailed InfoStealer Investigation by Fortinet Team: https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed