Implementing Latest Security Updates Crucial Against New CVE-2024-21412 Threat

The attack chain begins with an initial phishing email containing a malicious link. Upon clicking the link, a URL file is downloaded, which subsequently downloads an LNK file. This LNK file executes PowerShell commands to download an HTA script disguised as an overlay icon.

LNK File Execution and Payload Decoding

The HTA script decodes and executes a hidden PowerShell script that runs silently in the background. This script downloads a decoy PDF and a malicious shell code injector, which then injects the final stealer into legitimate processes. Two types of injectors have been identified in this campaign. The first injector uses an image file to obtain shell code, maintaining low detection rates on VirusTotal. The second injector downloads a JPG file from the Imghippo website and uses the Windows API “GdipBitmapGetPixel” to access pixels and decode bytes to retrieve the shell code. This second injector is more straightforward, decrypting its code from the data section and utilizing a series of Windows API functions to perform shell code injection.

Stealer Deployment and Regional Targeting

Once the code is injected, it downloads and installs information-stealing malware such as Meduza Stealer version 2.9 or ACR Stealer. The ACR Stealer targets various applications, including browsers, crypto wallets, messengers, FTP clients, email clients, VPN services, password managers, and other tools. It can adapt legitimate web services to maintain communications with its C2 server. The campaign appears to target specific regions, with decoy PDFs tailored to North America, Spain, and Thailand.

Implementing Microsoft’s latest security updates to address the CVE-2024-21412 vulnerability is crucial for protection. Users should be cautious of phishing links and downloading unknown files. Email security solutions can detect and block phishing attempts, while a comprehensive security suite can provide real-time malware protection.

Mr. Ngoc Bui, Cybersecurity Expert at Menlo Security, commented on the recent development stating, “The recent discovery of CVE-2024-21412 reveals the persistent and evolving nature of cyber threats targeting Microsoft’s SmartScreen. It demonstrates that attackers are constantly refining their tactics to bypass traditional security measures and deliver malicious payloads to high-value targets. This highlights the need for proactive threat intelligence and layered defenses to protect against these sophisticated attacks.”

RELATED TOPICS

• Windows Defender Flaw Exploited by Phemedrone Stealer
• Critical New Outlook RCE Vulnerability Exploits Preview Pane
• 7-Year-Old 0-Day in MS Office Exploited to Drop Cobalt Strike
• Black Basta Ransomware Exploited Windows 0-day Before Patch
• Palo Alto Patches 0-Day (CVE-2024-3400) Exploited by Backdoor
• MS Outlook Vulnerability Exploited by Russian Forest Blizzard Group
• Microsoft Releases Tool to Fix CrowdStrike-Caused Windows Chaos
• Russian APT28 Exploiting Windows Vulnerability with GooseEgg Tool

Update: 24 Jul 2024