An actively exploited security bypass vulnerability in Microsoft Defender SmartScreen is being exploited in a new stealer campaign to download malicious executables on the victim’s system.
Tracked as CVE-2024-21412, the vulnerability allows threat actors to bypass SmartScreen warnings using specially crafted internet shortcut files, leading to the execution of malware without user intervention.
“FortiGuard Labs has observed a stealer campaign spreading multiple files that exploit CVE-2024-21412 to download malicious executable files,” Fortinet’s threat intelligence and research arm, said in a blog. “Over the past year, several attackers, including Water Hydra, Lumma Stealer, and Meduza Stealer, have exploited this vulnerability.”
The vulnerability, which was disclosed by Microsoft in Feb 2024, has a high severity rating with a CVSS score of 8.1/10.
Exploit using Windows shortcut files
The vulnerability, as explained in the Microsoft security advisory, can be exploited by a threat actor with a specially crafted file that is designed to bypass displayed security checks. In the stealer campaign, actors were observed using the LNK file, a shortcut file format used in Windows to point to another file or directory. Sometimes, LNK files can also have arguments for execution.
“Initially, attackers lure victims into clicking a crafted link to a URL file designed to download an LNK file,” Fortinet said in the blog. “The LNK file then downloads an executable file containing an HTML Application (HTA) script.”
Once the HTA script, a Windows standalone program written in HTML is executed, it initiates PowerShell code that eventually establishes C2, downloads decoy PDF files for evasion, and a malicious shell injector.
“These files aim to inject the final stealer into legitimate processes, initiating malicious activities and sending the stolen data back to a C2 server,” Fortinet added.
The target applications for the observed stealer included web browsers, crypto wallets, messengers, email clients, VPN services, password managers, AnyDesk, and MySQL Workbench, among many others.
Avoiding unverified downloads
User action is first needed for clicking on the malicious URL link to download LNK files which later exploit the vulnerability. So, avoiding suspicious-looking or unverified downloads is the first step to stay ahead of this campaign.
“To mitigate such threats, organizations must educate their users about the dangers of downloading and running files from unverified sources,” Fortinet added. “Additionally, the malware described (in the blog) is detected and blocked by FortiGuard Antivirus, which is supported by FortiGate, FortiMail, FortiClient, and FortiEDR.”
Patching the vulnerability with the available fix by Microsoft is another way to ensure protection from such attacks. The vulnerability has had zero-day exploitations and has been used by various threat actors including the DarkGate Malware Campaign and some ransomware groups.