A high-severity vulnerability inMicrosoftDefender SmartScreen is being used to deliver information-stealing malware in Spain, Thailand, and the U.S.,securityresearchers say. The researchers discovered the stealer campaign using booby-trapped files to exploit the vulnerability and deliver information stealers such as ACR Stealer, Lumma, and Meduza.

Fortinet FortiGuard Labs observed the latest stealer campaign spreading multiple files that can sidestepMicrosoft Defender’s SmartScreen to download malicious software to target computers. The security vulnerability was addressed in CVE-2024-21412.

A hacker with a hood up looking at a computer screen.

Since Microsoft closed this security hole with an update released in February 2024, the news underscores the importance of installing security updates promptly. The disclosure comes on the heels of theCrowdStrike outage, which is also being leveraged to deliver malware:CrowdStrike revealedthat threat actors are delivering a fake recovery manual that delivers a previously undocumented stealer called Daolpu.

Security researcher Cara Lin said (viaThe Hacker News) that the attackers “lure victims into clicking a crafted link to a URL file designed to download an LNK file.” Once downloaded and opened, the LNK file downloads an executable file containing an HTML Application (HTA) script.

Jeff Butts

Next, the HTA decodes and decrypts obfuscated PowerShell code that retrieves decoy PDF files along with a shell code injector. This shell code injector then deploys and launches the malicious software. The malware transmits information from web browsers, crypto wallets, messaging apps, FTP and email clients, VPN services, and password managers through a dead drop resolver on the Steam community website, a popular gaming service.

ACR Stealer targets a wide variety of popular applications. These include multiple versions ofGoogleChrome, Epic Privacy Browser, Vivaldi, Microsoft Edge, Opera, and Mozilla Firefox, to name a few. It also targets messenger apps including Telegram, Pidgin, Signal, Tox, Psi, Psi+, and WhatsApp, along with numerous FTP clients.

VPN services NordVPN and AzireVPN have also been targeted, as have password managers Bitwarden, NordPass, 1Password, and RoboForm. While the hijacked data from a password manager should be encrypted, there remains some risk of sensitive data being pulled from them. Fortinet has a complete list of known targeted software in itsanalysis of the stealer campaign.

Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox.

Again, the Microsoft Defender SmartScreen vulnerability was patched in a February 2024 security update. However, if an organization doesn’t install such updates regularly, it remains vulnerable to the threat.

Jeff Butts has been covering tech news for more than a decade, and his IT experience predates the internet. Yes, he remembers when 9600 baud was “fast.” He especially enjoys covering DIY and Maker topics, along with anything on the bleeding edge of technology.