Patched Microsoft Defender flaw still being used to deliver information-stealing malware to vulnerable machines
It was patched in February, but out-of-date servers are at risk.
A high-severity vulnerability in Microsoft Defender SmartScreen is being used to deliver information-stealing malware in Spain, Thailand, and the U.S., security researchers say. The researchers discovered the stealer campaign using booby-trapped files to exploit the vulnerability and deliver information stealers such as ACR Stealer, Lumma, and Meduza.
Fortinet FortiGuard Labs observed the latest stealer campaign spreading multiple files that can sidestep Microsoft Defender’s SmartScreen to download malicious software to target computers. The security vulnerability was addressed in CVE-2024-21412.
Since Microsoft closed this security hole with an update released in February 2024, the news underscores the importance of installing security updates promptly. The disclosure comes on the heels of the CrowdStrike outage, which is also being leveraged to deliver malware: CrowdStrike revealed that threat actors are delivering a fake recovery manual that delivers a previously undocumented stealer called Daolpu.
Security researcher Cara Lin said (via The Hacker News) that the attackers “lure victims into clicking a crafted link to a URL file designed to download an LNK file.” Once downloaded and opened, the LNK file downloads an executable file containing an HTML Application (HTA) script.
Next, the HTA decodes and decrypts obfuscated PowerShell code that retrieves decoy PDF files along with a shell code injector. This shell code injector then deploys and launches the malicious software. The malware transmits information from web browsers, crypto wallets, messaging apps, FTP and email clients, VPN services, and password managers through a dead drop resolver on the Steam community website, a popular gaming service.
ACR Stealer targets a wide variety of popular applications. These include multiple versions of Google Chrome, Epic Privacy Browser, Vivaldi, Microsoft Edge, Opera, and Mozilla Firefox, to name a few. It also targets messenger apps including Telegram, Pidgin, Signal, Tox, Psi, Psi+, and WhatsApp, along with numerous FTP clients.
VPN services NordVPN and AzireVPN have also been targeted, as have password managers Bitwarden, NordPass, 1Password, and RoboForm. While the hijacked data from a password manager should be encrypted, there remains some risk of sensitive data being pulled from them. Fortinet has a complete list of known targeted software in its analysis of the stealer campaign.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Again, the Microsoft Defender SmartScreen vulnerability was patched in a February 2024 security update. However, if an organization doesn’t install such updates regularly, it remains vulnerable to the threat.
Jeff Butts has been covering tech news for more than a decade, and his IT experience predates the internet. Yes, he remembers when 9600 baud was “fast.” He especially enjoys covering DIY and Maker topics, along with anything on the bleeding edge of technology.
-
Alvar "Miles" Udell Since Microsoft closed this security hole with an update released in February 2024, the news underscores the importance of installing security updates promptly.
And the July security update for Windows 11 is triggering the Bitlocker key requirement to boot with the only current solution being to enter the key, which is inconvenient at best and impossible at worst if you didn't back it up to your Microsoft account and either didn't write it down or lost it, so I'll keep my advice to delay updates 30 days.
https://www.pcworld.com/article/2407581/july-windows-update-sending-pcs-into-bitlocker-recovery.html -
Alvar "Miles" Udell rgd1101 said:yeah but this fix was 5 months old. maybe a month delay. but 5?
Lazy/incompetent IT departments.