Back

Exploiting CVE-2024-21412: A Stealer Campaign Unleashed

July 24, 2024, 8:16 a.m.

Tags

malware
evasion
windows
stealer
CVE-2024-21412
injection
pdf
meduza stealer
2024-07-24
acr stealer

External References

https://www.fortinet.com/

https://otx.alienvault.com/

Description

This report details a malicious campaign exploiting the CVE-2024-21412 vulnerability in Microsoft Windows SmartScreen to bypass security warnings and deliver malware. Attackers employ crafted links, LNK files, and HTA scripts to download decoy PDFs and shell code injectors, ultimately injecting stealers like Meduza and ACR into legitimate processes. The campaign targets various regions and employs different techniques to evade detection, posing a significant threat to affected systems.

Date

Published Created Modified
July 24, 2024, 8:02 a.m. July 24, 2024, 8:02 a.m. July 24, 2024, 8:16 a.m.

Indicators

e15b200048fdddaedb24a84e99d6d7b950be020692c02b46902bf5af8fb50949

de6960d51247844587a21cc0685276f966747e324eb444e6e975b0791556f34f

bc6933a8fc324b907e6cf3ded3f76adc27a6ad2445b4f5db1723ac3ec86ed10d

bd823f525c128149d70f633e524a06a0c5dc1ca14dd56ca7d2a8404e5a573078

8568226767ac2748eccc7b9832fac33e8aa6bfdc03eafa6a34fb5d81e5992497

08c75c6a9582d49ea3fe780509b6f0c9371cfcd0be130bc561fae658b055a671

643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2

0604e7f0b4f7790053991c33359ad427c9bf74c62bec3e2d16984956d0fb9c19

62.133.61.43

62.133.61.26

5.42.107.78

https://i.imghippo.com/files/0hVAM1719847927.png.xn--ivg

http://5.42.107.78/auth/login.

https://21centuryart.com

Attack Patterns

ACR Stealer

Meduza Stealer

T1556.001

T1134.002

T1543.003

T1574.002

T1027.002

T1059.001

T1027.005

T1059.007

T1204.002

T1105

T1219

T1134

T1140

T1027

T1195

T1059

CVE-2024-21412