Hackers Exploit Windows SmartScreen Vulnerability Hydra, Lumma, & Meduza Stealers
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical security bypass vulnerability, tracked as CVE-2024-21412, has been identified in Microsoft Windows SmartScreen.
This flaw arises from an error in handling maliciously crafted files, allowing remote attackers to bypass SmartScreen security warnings and deliver malicious payloads.
Over the past year, cybercriminals, including Water Hydra, Lumma Stealer, and Meduza Stealer, have exploited this vulnerability to conduct widespread attacks.
Affected Platforms and Impact
Exploitation Details
FortiGuard Labs has observed a stealer campaign leveraging CVE-2024-21412 to download malicious executable files. Attackers lure victims into clicking crafted links to URL files, which subsequently download LNK files. These LNK files then fetch executable files containing HTA scripts.
Once executed, these scripts decrypt PowerShell code to retrieve final URLs, decoy PDF files, and a malicious shell code injector. The injected stealer then initiates malicious activities and sends the stolen data to a Command and Control (C2) server.
Telemetry highlighting the United States, Spain, and ThailandAttack Chain Diagram
Attack chain diagram
Initial Access
The attack begins with a malicious link to a remote server, searching for a URL file with specific content.
Constructing malicious link to a remote server to search for a URL file
The target LNK file employs the “forfiles” command to invoke PowerShell, then executes “mshta” to fetch an execution file from the remote server “hxxps://21centuryart.com.”
HTA Script Execution
Several LNK files were collected during the investigation, all downloading similar executables containing an HTA script embedded within the overlay.
This HTA script has set WINDOWSTATE=”minimize” and SHOWTASKBAR=”no,” playing a crucial role in the infection chain by executing additional malicious code.
Decoded and decrypted script
After decoding and decrypting the script, PowerShell code downloads two files to the “%AppData%” folder: a decoy PDF and an execution file that injects shell code for the next stage.
Shell Code Injector
Two types of injectors were identified in this attack chain. The first variant leverages an image file to obtain shell code, with low detection rates on VirusTotal.
The injector downloads a JPG file from the Imghippo website, decodes the bytes to get the shell code, and calls the entry point of the shell code.
The shell code then obtains all the APIs from a CRC32 hash, creates a folder, and drops files in “%TEMP%,” identified as HijackLoader.
Dropping files in the temp folder
The second injector decrypts its code from the data section and uses a series of Windows API functions to perform shell code injection.
Assembly code for calling shell code
Final Stealers
This attack employs Meduza Stealer version 2.9, with its panel found at “hxxp://5[.]42[.]107[.]78/auth/login.”Meduza Stealer Panel
Meduza Stealer’s panel
An ACR stealer loaded from HijackLoader was also identified. It hides its C2 on the Steam community website with a dead drop resolver (DDR) technique.
Base64 encoded C2 on Steam
Other ACR Stealer’s C2 servers were found on Steam by searching for the string “t6t.” After retrieving the C2 hostname, the ACR stealer constructs a complete URL to fetch the encoded configuration from the remote server, which contains crucial information for the stealer.
Decoded Configuration
Water Hydra, Lumma Stealer, and Meduza Stealer exploited CVE-2024-21412, which highlights the critical need for robust cybersecurity measures.
Users are advised to update their systems promptly and remain vigilant against suspicious links and files to mitigate the risk of such attacks. Businesses can teach their customers not to open files from unknown sources to lessen the impact of these kinds of attacks.
Protecting against advanced attack vectors requires a strong and proactive cybersecurity strategy since threat actors are always inventing new methods. Protecting a company’s digital assets requires proactive steps, user education, and strict security rules.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Hackers Exploit Windows SmartScreen Vulnerability Hydra, Lumma, & Meduza Stealers
Author: DhivyaA critical security bypass vulnerability, tracked as CVE-2024-21412, has been identified in Microsoft Windows SmartScreen.
This flaw arises from an error in handling maliciously crafted files, allowing remote attackers to bypass SmartScreen security warnings and deliver malicious payloads.
Over the past year, cybercriminals, including Water Hydra, Lumma Stealer, and Meduza Stealer, have exploited this vulnerability to conduct widespread attacks.
Affected Platforms and Impact
- Affected Platforms: Microsoft Windows
- Impacted Users: Microsoft Windows users
- Impact: The stolen information can be used for future attacks
- Severity Level: High
Exploitation Details
FortiGuard Labs has observed a stealer campaign leveraging CVE-2024-21412 to download malicious executable files. Attackers lure victims into clicking crafted links to URL files, which subsequently download LNK files. These LNK files then fetch executable files containing HTA scripts.
Once executed, these scripts decrypt PowerShell code to retrieve final URLs, decoy PDF files, and a malicious shell code injector. The injected stealer then initiates malicious activities and sends the stolen data to a Command and Control (C2) server.
Telemetry highlighting the United States, Spain, and ThailandAttack Chain DiagramAttack chain diagramInitial Access
The attack begins with a malicious link to a remote server, searching for a URL file with specific content.
Constructing malicious link to a remote server to search for a URL fileThe target LNK file employs the “forfiles” command to invoke PowerShell, then executes “mshta” to fetch an execution file from the remote server “hxxps://21centuryart.com.”
HTA Script Execution
Several LNK files were collected during the investigation, all downloading similar executables containing an HTA script embedded within the overlay.
This HTA script has set WINDOWSTATE=”minimize” and SHOWTASKBAR=”no,” playing a crucial role in the infection chain by executing additional malicious code.
Decoded and decrypted scriptAfter decoding and decrypting the script, PowerShell code downloads two files to the “%AppData%” folder: a decoy PDF and an execution file that injects shell code for the next stage.
Shell Code Injector
Two types of injectors were identified in this attack chain. The first variant leverages an image file to obtain shell code, with low detection rates on VirusTotal.
The injector downloads a JPG file from the Imghippo website, decodes the bytes to get the shell code, and calls the entry point of the shell code.
The shell code then obtains all the APIs from a CRC32 hash, creates a folder, and drops files in “%TEMP%,” identified as HijackLoader.
Dropping files in the temp folderThe second injector decrypts its code from the data section and uses a series of Windows API functions to perform shell code injection.
Assembly code for calling shell codeFinal Stealers
This attack employs Meduza Stealer version 2.9, with its panel found at “hxxp://5[.]42[.]107[.]78/auth/login.”Meduza Stealer Panel
Meduza Stealer’s panelAn ACR stealer loaded from HijackLoader was also identified. It hides its C2 on the Steam community website with a dead drop resolver (DDR) technique.
Base64 encoded C2 on SteamOther ACR Stealer’s C2 servers were found on Steam by searching for the string “t6t.” After retrieving the C2 hostname, the ACR stealer constructs a complete URL to fetch the encoded configuration from the remote server, which contains crucial information for the stealer.
Decoded ConfigurationWater Hydra, Lumma Stealer, and Meduza Stealer exploited CVE-2024-21412, which highlights the critical need for robust cybersecurity measures.
Users are advised to update their systems promptly and remain vigilant against suspicious links and files to mitigate the risk of such attacks. Businesses can teach their customers not to open files from unknown sources to lessen the impact of these kinds of attacks.
Protecting against advanced attack vectors requires a strong and proactive cybersecurity strategy since threat actors are always inventing new methods. Protecting a company’s digital assets requires proactive steps, user education, and strict security rules.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
