Cyble Research Uncovers Active Campaign Exploiting Microsoft SmartScreen Vulnerability

Cybersecurity researchers at Cyble Research and Intelligence Labs (CRIL) have uncovered a sophisticated campaign exploiting a Microsoft SmartScreen vulnerability to inject infostealers into users’ machines. Despite Microsoft releasing a patch for the vulnerability (CVE-2024-21412) in February and CISA adding it to its known exploited vulnerabilities catalog, the patch has seen limited deployment, leading to the campaign targeting users in multiple regions, including Spain, the U.S., and Australia.

The campaign, which begins with phishing lures related to healthcare insurance schemes, transportation notices, and tax-related communications, aims to trick users into downloading malicious payloads. The spam emails contain a link that redirects users to a WebDAV share using a search protocol to deceive them into executing a malicious internet shortcut file. The multi-stage attack that follows utilizes legitimate tools such as forfiles.exe, PowerShell, mshta, and other trusted files to circumvent security measures, ultimately injecting the final payload into explorer.exe.

The campaign delivers Lumma and Meduza Stealer as its final payloads, highlighting the sophistication of the attack chain. The researchers at Cyble also noted a surge in the exploitation of the vulnerability (CVE-2024-21412) and emphasized the evolving and dangerous threat landscape in cybersecurity. They recommended various cybersecurity controls, including advanced email filtering solutions, monitoring and restricting the forfiles utility, application whitelisting, and network segmentation to combat these sophisticated threats.

The researchers also provided MITRE ATT&CK Techniques, Indicators of Compromise (IoCs), and a YARA detection rule on the Cyble blog for further reference. This discovery underscores the importance of staying vigilant against cyber threats and implementing robust cybersecurity measures to protect against malicious attacks.