Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Microsoft SmartScreen vulnerability can be abused to deploy malware, and its happening in the wild

A white padlock on a dark digital background.

Hackers are actively exploiting a known vulnerability in Microsoft SmartScreen to deploy malware.

A report from cybersecurity researchers Cyble has urged users to apply the patch immediately, since Microsoft addressed this problem months ago.

Microsoft SmartScreen is a security feature the cimpany integrated into a range of different products, including Windows, Microsoft Edge, and Outlook. By analyzing websites and downloaded files, it provides protection against phishing and malware attacks.

Lumma and Meduza Stealer

However, in mid-January 2024, The Zero Day Initiative (ZDI) observed threat actors abusing a flaw in the feature to deliver the DarkGate commodity loader. The vulnerability is now tracked as CVE-2024-21412, and is described as an “internet shortcut files security feature bypass vulnerability”. In other words, threat actors can bypass SmartScreen’s security features by having victims click on specially crafted internet links. 

Microsoft issued a patch for the vulnerability on February 13 this year, but it seems that many users did not apply it and remain vulnerable. They are now being targeted by crooks looking to deploy multiple infostealers.

This new campaign starts with phishing emails, seemingly coming from trusted sources. They carry internet shortcuts hosted on a remote WebDAV share which, if clicked, execute another .LNK file hosted on the same share, triggering the infection chain. The chain ends with the victims being infected with Lumma and Meduza Stealer.

These are popular infostealers that can grab people’s passwords, cookies, credit card information, cryptowallet data, VPN credentials, FTP credentials, browser autofill data, sensitive documents, screenshots, system information, and more. 

The researchers don’t know exactly how many people fell prey to this campaign. They do know that the threat actors are targeting a wide array of individuals and organizations in different regions and sectors. Based on the fake documents being spread in the phishing emails, the attackers are going after people in Spain, the United States, and Australia.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.