Patched Microsoft Defender flaw still being used to deliver information-stealing malware to vulnerable machines

A high-severity vulnerability in Microsoft Defender SmartScreen is being used to deliver information-stealing malware in Spain, Thailand, and the U.S., security researchers say. The researchers discovered the stealer campaign using booby-trapped files to exploit the vulnerability and deliver information stealers such as ACR Stealer, Lumma, and Meduza.

Fortinet FortiGuard Labs observed the latest stealer campaign spreading multiple files that can sidestep Microsoft Defender ’s SmartScreen to download malicious software to target computers. The security vulnerability was addressed in CVE-2024-21412.

Since Microsoft closed this security hole with an update released in February 2024, the news underscores the importance of installing security updates promptly. The disclosure comes on the heels of the CrowdStrike outage , which is also being leveraged to deliver malware: CrowdStrike revealed that threat actors are delivering a fake recovery manual that delivers a previously undocumented stealer called Daolpu.

Security researcher Cara Lin said ( via The Hacker News) that the attackers “lure victims into clicking a crafted link to a URL file designed to download an LNK file.” Once downloaded and opened, the LNK file downloads an executable file containing an HTML Application (HTA) script.

Next, the HTA decodes and decrypts obfuscated PowerShell code that retrieves decoy PDF files along with a shell code injector. This shell code injector then deploys and launches the malicious software. The malware transmits information from web browsers, crypto wallets, messaging apps, FTP and email clients, VPN services, and password managers through a dead drop resolver on the Steam community website, a popular gaming service.

ACR Stealer targets a wide variety of popular applications. These include multiple versions of Google Chrome, Epic Privacy Browser, Vivaldi, Microsoft Edge, Opera, and Mozilla Firefox, to name a few. It also targets messenger apps including Telegram, Pidgin, Signal, Tox, Psi, Psi+, and WhatsApp, along with numerous FTP clients.

VPN services NordVPN and AzireVPN have also been targeted, as have password managers Bitwarden, NordPass, 1Password, and RoboForm. While the hijacked data from a password manager should be encrypted, there remains some risk of sensitive data being pulled from them. Fortinet has a complete list of known targeted software in its analysis of the stealer campaign .

Again, the Microsoft Defender SmartScreen vulnerability was patched in a February 2024 security update. However, if an organization doesn’t install such updates regularly, it remains vulnerable to the threat.