Hackers Actively Exploiting Microsoft SmartScreen Vulnerability To Deploy Stealer Malware
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Hackers attack Microsoft SmartScreen as it’s a cloud-based, anti-phishing, and anti-malware component that determines whether a website is potentially malicious, protecting users from downloading harmful viruses.
Cybersecurity researchers at Cyble recently discovered that hackers have been actively exploiting the Microsoft SmartScreen vulnerability to deploy stealer malware.
Microsoft SmartScreen Vulnerability
In January 2024, the Zero Day Initiative of Cyble discovered a DarkGate campaign exploiting CVE-2024-21412 via fake software installers.
Microsoft patched the vulnerability on February 13, but Water Hydra and other groups continued to leverage it to deploy malware, including DarkMe RAT, by bypassing SmartScreen with internet shortcuts.
Malicious links to internet shortcuts hosted on WebDAV shares are typically distributed via spam email.
When these shortcuts are run, they skip the SmartScreen step and launch a multi-step attack that uses PowerShell as well as JavaScript scripts.
Finally, the campaign installs information-stealing malware such as Lumma and Meduza Stealer, showing how threat actors have been evolving in their approach to exploiting recently patched vulnerabilities.
.webp)
Infection Chain (Source – Cyble)
The threat actor targets individuals and organizations globally, using lures like fake Spanish tax documents, US Department of Transportation emails, and Australian Medicare forms.
.webp)
It is a very crafty technological attack that exploits CVE-2024-21412 to bypass Microsoft Defender SmartScreen.
The attackers may send phishing emails containing a malicious link that leads to a WebDAV-hosted internet shortcut.
The attack chain includes multiple steps, with the last one involving JavaScript embedded in benign executables, using legitimate Windows utilities and poisoning them for malicious LNK file purposes.
Here, the PowerShell scripts decrypt and execute additional payloads, install malware, and display a decoy document on the victim’s machine.
Some of the methods used in this campaign include DLL side-loading and IDAT loader exploitation to distribute Lumma and Meduza Stealer malware.
The payload is then injected into explorer.exe. Increasing utilization of CVE-2024-21412, coupled with such elaborate approaches, confirms a cyber threat environment that is transforming very fast.
This development could be hurried by the availability of Malware-as-a-Service offerings, consequently underlining the urgent requirement for proactive security measures and continuous changes to counter new threats arising from such avenues.
Recommendations
Here below we have mentioned all the recommendations:-
IoCs
.webp)
IoCs (Source – Cyble)
#Cyber_Security_News #Microsoft #Vulnerability #Cybersecurity_Vulnerabilities #Malware_Deployment #Microsoft_SmartScreen
Оригинальная версия на сайте:
Hackers Actively Exploiting Microsoft SmartScreen Vulnerability To Deploy Stealer Malware
Author: Tushar Subhra DuttaHackers attack Microsoft SmartScreen as it’s a cloud-based, anti-phishing, and anti-malware component that determines whether a website is potentially malicious, protecting users from downloading harmful viruses.
Cybersecurity researchers at Cyble recently discovered that hackers have been actively exploiting the Microsoft SmartScreen vulnerability to deploy stealer malware.
Microsoft SmartScreen Vulnerability
In January 2024, the Zero Day Initiative of Cyble discovered a DarkGate campaign exploiting CVE-2024-21412 via fake software installers.
Microsoft patched the vulnerability on February 13, but Water Hydra and other groups continued to leverage it to deploy malware, including DarkMe RAT, by bypassing SmartScreen with internet shortcuts.
Malicious links to internet shortcuts hosted on WebDAV shares are typically distributed via spam email.
When these shortcuts are run, they skip the SmartScreen step and launch a multi-step attack that uses PowerShell as well as JavaScript scripts.
Finally, the campaign installs information-stealing malware such as Lumma and Meduza Stealer, showing how threat actors have been evolving in their approach to exploiting recently patched vulnerabilities.
Infection Chain (Source – Cyble)The threat actor targets individuals and organizations globally, using lures like fake Spanish tax documents, US Department of Transportation emails, and Australian Medicare forms.
It is a very crafty technological attack that exploits CVE-2024-21412 to bypass Microsoft Defender SmartScreen.
The attackers may send phishing emails containing a malicious link that leads to a WebDAV-hosted internet shortcut.
The attack chain includes multiple steps, with the last one involving JavaScript embedded in benign executables, using legitimate Windows utilities and poisoning them for malicious LNK file purposes.
Here, the PowerShell scripts decrypt and execute additional payloads, install malware, and display a decoy document on the victim’s machine.
Some of the methods used in this campaign include DLL side-loading and IDAT loader exploitation to distribute Lumma and Meduza Stealer malware.
The payload is then injected into explorer.exe. Increasing utilization of CVE-2024-21412, coupled with such elaborate approaches, confirms a cyber threat environment that is transforming very fast.
This development could be hurried by the availability of Malware-as-a-Service offerings, consequently underlining the urgent requirement for proactive security measures and continuous changes to counter new threats arising from such avenues.
Recommendations
Here below we have mentioned all the recommendations:-
- Verify emails and links
- Use advanced email filtering
- Avoid suspicious links
- Keep software up-to-date
- Monitor forfiles utility
- Limit scripting languages
- Implement application whitelisting
- Segment your network
IoCs
IoCs (Source – Cyble)#Cyber_Security_News #Microsoft #Vulnerability #Cybersecurity_Vulnerabilities #Malware_Deployment #Microsoft_SmartScreen
Оригинальная версия на сайте:
