Security Affairs
Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hackers exploit Microsoft Defender SmartScreen bug CVE-2024-21412 to deliver ACR, Lumma, and Meduza Stealers

The CVE-2024-21412 flaw in the Microsoft Defender SmartScreen has been exploited to deliver information stealers such as ACR Stealer, Lumma, and Meduza. Fortinet FortiGuard Labs researchers observed a malware campaign exploiting the vulnerability CVE-2024-21412 (CVSS score: 8.1) to spread information stealer, such as ACR Stealer, Lumma, and Meduza. The CVE-2024-21412 is an Internet Shortcut Files Security Feature Bypass Vulnerability. The flaw […]

CVE-2024-21412 Microsoft malware

The CVE-2024-21412 flaw in the Microsoft Defender SmartScreen has been exploited to deliver information stealers such as ACR Stealer, Lumma, and Meduza.

Fortinet FortiGuard Labs researchers observed a malware campaign exploiting the vulnerability CVE-2024-21412 (CVSS score: 8.1) to spread information stealer, such as ACR Stealer, Lumma, and Meduza.

The CVE-2024-21412 is an Internet Shortcut Files Security Feature Bypass Vulnerability.

The flaw resides in Microsoft Windows SmartScreen and is caused by improper handling of maliciously crafted files. An unauthenticated attacker can trigger the flaw by sending the victim a specially crafted file that is designed to bypass displayed security checks. The attacker has to trick the victims into clicking the file link. The flaw was reported by:

Microsoft addressed the flaw with the release of Patch Tuesday Security updates for February 2024. Fortinet reported that the stealer campaign targeted Spain, Thailand, and the U.S. with booby-trapped files.

“FortiGuard Labs has observed a stealer campaign spreading multiple files that exploit CVE-2024-21412 to download malicious executable files. Initially, attackers lure victims into clicking a crafted link to a URL file designed to download an LNK file. The LNK file then downloads an executable file containing an HTA script. Once executed, the script decodes and decrypts PowerShell code to retrieve the final URLs, decoy PDF files, and a malicious shell code injector. These files aim to inject the final stealer into legitimate processes, initiating malicious activities and sending the stolen data back to a C2 server.” reads the report published by Fortinet. “The threat actors have designed different injectors to evade detection and use various PDF files to target specific regions, including North America, Spain, and Thailand.”

CVE-2024-21412 Microsoft malware

During the investigation, the researchers detected multiple LNK files that were used to download similar executables containing an embedded HTA script. The HTA script executed additional malicious code and downloads two files, a decoy PDF designed to divert the victim’s attention and an execution file that injects shell code for the subsequent stages of the attack.

The researchers identified two types of injectors. The first variant downloads a shell code from an image file hosted on Imghippo, which has low detection rates on VirusTotal. The shell code is extracted from the image pixels using the Windows API “GdipBitmapGetPixel” and then executed. This code retrieves necessary APIs, creates a folder, and drops files in the “%TEMP%” directory, including a HijackLoader, indicated by specific byte patterns in the data.

The second injector simply decrypts its code from a data section and uses several Windows API functions such as NtCreateSection, NtMapViewOfSection, and NtProtectVirtualMemory to inject the shell code into the system. This approach facilitates the execution of malicious payloads by manipulating memory sections and their protections.

Fortinet observed the threat actors spreading Meduza Stealer version 2.9, an ACR stealer delivered via HijackLoader that employs a “dead drop resolver” technique to hide the C2 server on a Steam community profile.

“To mitigate such threats, organizations must educate their users about the dangers of downloading and running files from unverified sources. Continuous innovation by threat actors necessitates a robust and proactive cybersecurity strategy to protect against sophisticated attack vectors.” concludes the report. “Proactive measures, user awareness, and stringent security protocols are vital components in safeguarding an organization’s digital assets.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2024-21412)