Exploiting CVE-2024-21412: A Stealer Campaign Unleashed
July 24, 2024, 8:16 a.m.
Tags
External References
Description
This report details a malicious campaign exploiting the CVE-2024-21412 vulnerability in Microsoft Windows SmartScreen to bypass security warnings and deliver malware. Attackers employ crafted links, LNK files, and HTA scripts to download decoy PDFs and shell code injectors, ultimately injecting stealers like Meduza and ACR into legitimate processes. The campaign targets various regions and employs different techniques to evade detection, posing a significant threat to affected systems.
Date
Published: July 24, 2024, 8:02 a.m.
Created: July 24, 2024, 8:02 a.m.
Modified: July 24, 2024, 8:16 a.m.
Indicators
e15b200048fdddaedb24a84e99d6d7b950be020692c02b46902bf5af8fb50949
de6960d51247844587a21cc0685276f966747e324eb444e6e975b0791556f34f
bc6933a8fc324b907e6cf3ded3f76adc27a6ad2445b4f5db1723ac3ec86ed10d
bd823f525c128149d70f633e524a06a0c5dc1ca14dd56ca7d2a8404e5a573078
8568226767ac2748eccc7b9832fac33e8aa6bfdc03eafa6a34fb5d81e5992497
08c75c6a9582d49ea3fe780509b6f0c9371cfcd0be130bc561fae658b055a671
643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2
0604e7f0b4f7790053991c33359ad427c9bf74c62bec3e2d16984956d0fb9c19
62.133.61.43
62.133.61.26
5.42.107.78
https://i.imghippo.com/files/0hVAM1719847927.png.xn--ivg
http://5.42.107.78/auth/login.
https://21centuryart.com
proffyrobharborye.xyz
ptdrf.xyz
pqdrf.xyz
pdddk.xyz
pdddj.xyz
pcvvf.xyz
pcvcf.xyz
pddbj.xyz
pbpbj.xyz
pbdbj.xyz
answerrsdo.shop
21centuryart.com
scratchedcards.com
Attack Patterns
ACR Stealer
Meduza Stealer
T1556.001
T1134.002
T1543.003
T1574.002
T1027.002
T1059.001
T1027.005
T1059.007
T1204.002
T1105
T1219
T1134
T1140
T1027
T1195
T1059
CVE-2024-21412