Microsoft Defender vulnerabilities being exploited to spread dangerous malware
Cybercriminals are constantly trying to exploit a vulnerability in Microsoft Defender SmartScreen to spread all kinds of malware and infostealers.
FortiGuard Labs reports that a new campaign has been launched targeting victims in Spain, Thailand and the US, which aims to launch ARC Stealer, Lumma and Meduza.
This vulnerability allows attackers to bypass Windows Defender SmartScreen, a security feature built into Windows operating systems designed to protect users from online threats.
Lumma and Meduza Stealer
“Initially, attackers lure victims into clicking on a crafted link to a URL file designed to download a LNK file,” the researchers explained. “The LNK file then downloads an executable file with a [HTML Application] script.”
The vulnerability that is being exploited is tracked as CVE-2024-21412. It has a severity score of 8.1 and researchers have been warning about it since mid-February of this year. Trend Micro experts said at the time that they saw a threat actor called Water Hydra (DarkCasino) abuse the then-zero-day to target crypto traders on New Year’s Eve.
“We concluded that invoking a shortcut within another shortcut was sufficient to bypass SmartScreen, which failed to properly apply Mark-of-the-Web (MotW), a critical Windows component that warns users when they open or execute files from an untrusted source,” Trend Micro experts said at the time.
In early July 2024, researchers from Cyble also warned that the vulnerability was being used to spread malware. They urged users to install a fix immediately, as Microsoft had already patched the vulnerability on February 13, 2024.
While the vulnerability was originally used to drop the DarkGate commodity loader, the new campaigns have seen the crooks opt for ARC Stealer, Lumma, and Meduza. All are relatively popular infostealers that can steal sensitive files, credentials, cryptocurrency wallet details, screenshots, and more.
Through The Hacker News
