Multiple D-Link DSL-225 Vulnerabilities
July 24, 2024DarkCrystal RAT aka DCRat – Active IOCs
July 25, 2024Multiple D-Link DSL-225 Vulnerabilities
July 24, 2024DarkCrystal RAT aka DCRat – Active IOCs
July 25, 2024Severity
High
Analysis Summary
A recent effort aimed at distributing information stealers like ACR Stealer, Lumma, and Meduza has taken advantage of a vulnerability in the Microsoft Defender SmartScreen that has since been patched.
Researchers discovered the stealer campaign which used booby-trapped files to exploit CVE-2024-21412 (CVSS score: 8.1) and was aimed at Spain, Thailand, and the United States. Through the use of the high-severity vulnerability, an attacker can evade SmartScreen defenses and deliver malicious payloads. In February 2024, Microsoft provided a monthly security update that resolved this problem.
Attackers first trick victims into clicking a forged URL file that downloads an LNK file. After that, an executable file with an HTML Application script is downloaded via the LNK file. The HTA file acts as a gateway for the decoding and decryption of PowerShell code that retrieves a fake PDF file and a shellcode injector. These actions either result in the activation of Meduza Stealer or Hijack Loader, which then initiates ACR Stealer or Lumma.
A threat actor promoted ACR Stealer on a Russian underground forum in late March 2024. It is believed that the ACR Stealer is an upgraded version of the GrMsk Stealer. Using a dead drop resolver (DDR) method, this ACR stealer conceals its C2 on the Steam community page. Information from online browsers, cryptocurrency wallets, messaging apps, email clients, FTP clients, VPN services, and password managers can all be extracted by it.
Notably, the researchers report that similar tactics have also been seen in recent Lumma Stealer attacks, which facilitate adversaries' ability to alter the C2 domains at will and strengthen the infrastructure's resilience. This disclosure coincides with the revelation from CrowdStrike that threat actors are using the disruption from last week to spread an information stealer known as Daolpu, which was previously undisclosed. This is just one instance of the ongoing fallout from the malfunctioning update that has rendered millions of Windows devices unusable.
Using a Microsoft Word document riddled with macros that appear to be a Microsoft recovery handbook with authentic instructions from the Windows manufacturer to fix the problem, the attack uses the document as a ruse to start the infection process. Upon opening, the DOCM file triggers the macro to obtain a second-stage DLL file from a remote location. This DLL file is then decoded to initiate Daolpu, a stealthy malware capable of obtaining login credentials and cookies from Chromium-based browsers such as Microsoft Edge, Mozilla Firefox, and Google Chrome.
It also coincides with the introduction of new families of stealer malware, like Braodo and DeerStealer, and the use of malvertising tactics by threat actors to distribute Atomic Stealer in conjunction with genuine applications, like Microsoft Teams. Using search engines to download software is getting riskier as cybercriminals step up their distribution strategies. The navigation between SEO poisoning and malvertising is required of users.
Impact
- Sensitive Data Theft
- Security Bypass
Indicators of Compromise
Domain Name
- 21centuryart.com
- scratchedcards.com
- answerrsdo.shop
- pcvcf.xyz
- pcvvf.xyz
- pdddk.xyz
- pbdbj.xyz
- pqdrf.xyz
IP
- 62.133.61.26
- 62.133.61.43
- 5.42.107.78
MD5
- 158349867dc4ee02bd25e74ba3475bc2
- 0d6f8a03885e85f384584cb2416f859e
- b433eb6a16cca3d20a5f64e3ee58a603
- 87e1217cd4517d2c3ea39b1b970a5550
- ec84763fca218109b124ce3569aacbc0
- 60f608a7279a0f9bd78cf81ac0b4430e
- 86ccdd6ace9c65340b8704c32bb5c0b4
- 8eb4a13d9250cfc847bd4d7ab40fe07c
- b54762542e86d5c914ce6f5b900ff56d
- d739d9b0af49ec38e9974bcc6a22956a
- 5f97661b73f6d0c83c26666f643d1d19
- 5eff654f5dafbed08a97efcf5169518d
- ec33f9f31756e52ee62802c877013d83
- 0468a32ad1ed1169e98b897d87f51164
SHA-256
- e15b200048fdddaedb24a84e99d6d7b950be020692c02b46902bf5af8fb50949
- 547b6e08b0142b4f8d024bac78eb1ff399198a8d8505ce365b352e181fc4a544
- bd823f525c128149d70f633e524a06a0c5dc1ca14dd56ca7d2a8404e5a573078
- bc6933a8fc324b907e6cf3ded3f76adc27a6ad2445b4f5db1723ac3ec86ed10d
- 59d2c2ca389ab1ba1fefa4a06b14ae18a8f5b70644158d5ec4fb7a7eac4c0a08
- 8568226767ac2748eccc7b9832fac33e8aa6bfdc03eafa6a34fb5d81e5992497
- 4043aa37b5ba577dd99f6ca35c644246094f4f579415652895e6750fb9823bd9
- 0604e7f0b4f7790053991c33359ad427c9bf74c62bec3e2d16984956d0fb9c19
- 8c6d355a987bb09307e0af6ac8c3373c1c4cbfbceeeb1159a96a75f19230ede6
- de6960d51247844587a21cc0685276f966747e324eb444e6e975b0791556f34f
- 6c779e427b8d861896eacdeb812f9f388ebd43f587c84a243c7dab9ef65d151c
- 08c75c6a9582d49ea3fe780509b6f0c9371cfcd0be130bc561fae658b055a671
- abc54ff9f6823359071d755b151233c08bc2ed1996148ac61cfb99c7e8392bfe
- 643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2
SHA-1
- d1327ff23fde813cb34e3da820ff93ca7bff79a6
- 6ef9d52ad398772b884f3884f106fe9bdfbc5a46
- 0abcfe1fa9058ac9171bbe63a62e2b092706d95c
- 6fea76f1c820df7d4f00421800516e8b6cb36c4f
- 48ae9f3b129f33191cd3846177f3823b6403831c
- 9e2c8ee8ffdddfab0ac7febe686f9e69038a456f
- fde2f7d41ae5eb1d6e8bc97ff67075e2d530b37d
- acddb25e1e218de74453f9c6b5cec6e92f55f6af
- c092c9c8034006d6c58a19d28c62c78f3100c686
- 55cf7d205926dfbf377a144d3c25dc4e91fa2fc1
- 1cd170dd5e6cf5adf52b076dcf1edfbf8322960c
- 22d31c28c59355530e0184bafe8be5b42c59c353
- 9261992e8c9cacf49ee16dd638aee098ad39e7c4
- 0d9dc54a5f91e6ed7d324c2a65b152a168d57b08
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
- Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
- Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
- Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
- Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
- Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
- Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.