Overview of the Infection Chain
Experts at Cyble report that hackers have discovered a method to bypass Microsoft SmartScreen’s protection to disseminate malware onto user devices. The vulnerability in SmartScreen allows infiltration through Windows Defender and compromises the devices.
In January 2024, the DarkGate group exploited the CVE-2024-21412 vulnerability (CVSS score: 8.1) to deliver malicious installers mimicking popular applications such as iTunes, Notion, and NVIDIA. Although Microsoft patched the vulnerability in February, another group, Water Hydra, continued to exploit the flaw to spread malware, including the DarkMe trojan.
The initial infection begins with an email purportedly from a trusted source. The email is crafted to entice the recipient to click on a link, which deceives the user into viewing a URL hosted on a remote WebDAV resource. Clicking the URL executes an LNK file located on the same WebDAV resource, initiating the infection process.
Launching the URL links bypasses the SmartScreen check and initiates a multi-stage attack using PowerShell and JavaScript scripts. Ultimately, the malware Lumma and Meduza Stealer are installed on the devices.
PowerShell scripts decrypt and execute additional payloads, install malware, and display a fake document on the victim’s device. The attack methods include DLL Sideloading and exploitation of the IDAT Loader to deliver Lumma and Meduza Stealer. The malware is then embedded in explorer.exe.
The attack targets individuals and organizations worldwide. The campaign employs tactics such as fake tax documents in Spanish, emails from the U.S. Department of Transportation, and Medicare forms.
The increasing use of the CVE-2024-21412 vulnerability, combined with sophisticated approaches, underscores the necessity for proactive security measures and continuous adaptations to counter new threats. The availability of the Ransomware-as-a-Service (RaaS) model could exacerbate the situation, making it even more imperative to adopt measures to protect against such threats.
