Experts at Cyble have reported that hackers have discovered a way to bypass Microsoft SmartScreen in order to distribute malware to user devices. The vulnerability in Smartscreen allows attackers to infiltrate systems through Windows Defender and infect devices (source) .
In January 2024, the DarkGate group exploited the CVE-2024-21412 vulnerability with a rating of 8.1 to deliver malicious installers disguised as popular applications like iTunes, Notion, and NVIDIA. While Microsoft patched the vulnerability in February, another group, Water Hydra, continued to use it to distribute malware, including the Trojan Darkme.
The initial infection begins with an email from what appears to be a trustworthy source, encouraging the recipient to click on a link that redirects them to a URL hosted on a remote WebDav resource. Clicking on the URL launches an LNK file on the same WebDav resource, starting the infection process.
By exploiting the URL Satins, attackers are able to bypass the SmartScreen checks and launch a multi-stage attack using PowerShell and JavaScript scripts. This ultimately results in the installation of malicious software like Lumma and Meduza Stealer on the devices.
PowerShell scripts decrypt and execute additional payloads, install malware, and display a fake document on the victim’s device. Attack methods include Dll Sideloading and using the IDAT Loader bootloader to deliver Lumma and Meduza Stealer, which are then injected into Explorer.exe.
This chain of infection targets individuals and organizations globally, using tactics such as fake Spanish tax documents, emails purportedly from the US Department of State, and Medicare forms.
The increasing exploitation of the CVE-2024-21412 vulnerability, coupled with these sophisticated approaches, underscores the importance of proactive security measures and continual adaptations to combat new threats. The emergence of the Ransomware-As-A-Service (RAAS) model further complicates the situation, making it crucial to take steps to protect against such threats. (source)