Exploiting CVE-2024-21412: A Stealer Campaign Unleashed
July 24, 2024, 8:16 a.m.
Description
This report details a malicious campaign exploiting the CVE-2024-21412 vulnerability in Microsoft Windows SmartScreen to bypass security warnings and deliver malware. Attackers employ crafted links, LNK files, and HTA scripts to download decoy PDFs and shell code injectors, ultimately injecting stealers like Meduza and ACR into legitimate processes. The campaign targets various regions and employs different techniques to evade detection, posing a significant threat to affected systems.
Tags
Date
- Created: July 24, 2024, 8:02 a.m.
- Published: July 24, 2024, 8:02 a.m.
- Modified: July 24, 2024, 8:16 a.m.
Indicators
- e15b200048fdddaedb24a84e99d6d7b950be020692c02b46902bf5af8fb50949
- de6960d51247844587a21cc0685276f966747e324eb444e6e975b0791556f34f
- bc6933a8fc324b907e6cf3ded3f76adc27a6ad2445b4f5db1723ac3ec86ed10d
- bd823f525c128149d70f633e524a06a0c5dc1ca14dd56ca7d2a8404e5a573078
- 8568226767ac2748eccc7b9832fac33e8aa6bfdc03eafa6a34fb5d81e5992497
- 08c75c6a9582d49ea3fe780509b6f0c9371cfcd0be130bc561fae658b055a671
- 643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2
- 0604e7f0b4f7790053991c33359ad427c9bf74c62bec3e2d16984956d0fb9c19
- 62.133.61.43
- 62.133.61.26
- 5.42.107.78
- https://i.imghippo.com/files/0hVAM1719847927.png.xn--ivg
- http://5.42.107.78/auth/login.
- https://21centuryart.com
- proffyrobharborye.xyz
- ptdrf.xyz
- pqdrf.xyz
- pdddk.xyz
- pdddj.xyz
- pcvvf.xyz
- pcvcf.xyz
- pddbj.xyz
- pbpbj.xyz
- pbdbj.xyz
- answerrsdo.shop
- 21centuryart.com
- scratchedcards.com
Attack Patterns
- ACR Stealer
- Meduza Stealer
- T1556.001
- T1134.002
- T1543.003
- T1574.002
- T1027.002
- T1059.001
- T1027.005
- T1059.007
- T1204.002
- T1105
- T1219
- T1134
- T1140
- T1027
- T1195
- T1059