ClickCease SmartScreen Flaw Exploited To Deliver Information Stealers - TuxCare

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

SmartScreen Flaw Exploited To Deliver Information Stealers

by Wajahat Raja

August 6, 2024 - TuxCare expert team

As per recent media reports, a SmartScreen flaw in Microsoft Defender that has now been patched was part of a new campaign-based exploit. The exploit was used to deliver information stealers that include ACT stealer, Meduza, and Lumma. In this article, we’ll explore the flaw in detail, allowing you to determine how to safeguard against it.

The SmartScreen Flaw Detailed

The SmartScreen flaw is currently being tracked as CVE-2024-21412 and has a critical vulnerability severity score (CVSS) of 8.1. The identification of this flaw came forth when Fortinet FortiGuard Labs discovered a stealer campaign that was targeting victims in the United States (US), Thailand, and Spain.

Media reports claim threat actors can use this high-severity vulnerability to bypass the SmartScreen protection. Once bypassed, they could then deploy the malicious payload. Alongside these details, it’s worth mentioning that Microsoft addressed this issue as a part of its security updates in February 2024.

Providing further details about the SmartScreen flaw, security researcher Cara Lin has stated:

“Initially, attackers lure victims into clicking a crafted link to a URL file designed to download an LNK file. The LNK file then downloads an executable file containing a script.”

ACR Stealer, Lumma, and Meduza Stealer

When developing preventive measures against online threats, it’s essential for users to comprehend the threat to a certain extent. As for the attack chain pertaining to the exploitation of the SmartScreen flaw is concerned, an HTA file serving as a conduit is used to decrypt the PowerShell code.

The purpose of this code is to fetch a decoy PDF file and a shellcode injector. These malicious assets are then used as either the Meduza Stealer or the Hijkack Loader which is used for launching Lumma or the ACT Stealer. Commenting on the capabilities of the ACR stealer, Cara Lin said:

“This ACR stealer hides its [command-and-control] with a dead drop resolver (DDR) technique on the Steam community website.”

Lumma Stealer attacks, as of recent, have also been discovered using the same technique. Such a technique ensures that threat actors are able to modify C2 domains when carrying out their malicious intents.

Given the information available, it can be said that the use of malvertising techniques pertaining to the promotion of software solutions has become a common phenomenon. Users, unaware of the dangers that prevail online, are at significant risk of falling prey to such tactics.

Providing details into such tactics, Malwarebytes researcher Jérôme Segura has stated that:

“As cyber criminals ramp up their distribution campaigns, it becomes more dangerous to download applications via search engines. Users have to navigate between malvertising (sponsored results) and SEO poisoning (compromised websites).”

Conclusion

The patched SmartScreen flaw highlights the evolving threat landscape. To mitigate risks, users must stay vigilant, update security measures regularly, and be cautious of suspicious links. Awareness and proactive protection are crucial in defending against information stealers like ACT, Meduza, and Lumma.

The sources of this piece include articles in The Hacker News and Security Affairs.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Help Us Understand
the Linux Landscape!

Complete our survey on the state of Open Source and you could win one of several prizes, with the top prize valued at $500!

Your expertise is needed to shape the future of Enterprise Linux!