A recent vulnerability in Windows SmartScreen is actively exploited in attacks leading to Phemedrone Stealer infections, cybersecurity firm Trend Micro reports.
The security defect, tracked as CVE-2023-36025 (CVSS score of 8.8), came to light on November 14, 2023, when Microsoft released patches for it and the US cybersecurity agency CISA added it to its Known Exploited Vulnerabilities catalog, based on evidence of in-the-wild exploitation.
According to Microsoft’s advisory, the issue can be exploited by sending a crafted internet shortcut file (URL) to a user and convincing the recipient to click on it.
“The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts,” the tech giant says.
Following the public disclosure, threat actors have been observed demonstrating the exploitation of this bug, various proof-of-concept (PoC) exploits have been released, and numerous threat actors have incorporated exploits for this vulnerability in their attack chains.
Now, Trend Micro reports that a malicious campaign is actively exploiting CVE-2023-36025 to deliver Phemedrone Stealer, a previously unknown malware strain that can harvest a trove of information from the infected systems.
Written in C#, Phemedrone Stealer is available as open source and is actively maintained on GitHub and Telegram.
In addition to stealing data from web browsers, cryptocurrency wallets, and various messaging applications (including Telegram, Steam, and Discord), the threat takes screenshots and gathers systems information, including hardware details and location data.
The harvested information is then exfiltrated via Telegram or to the attackers’ command-and-control (C&C) server.
As part of the observed attacks, the malicious URL files exploiting CVE-2023-36025 are hosted on Discord or other cloud services. Once executed, the files download and execute a control panel item (.cpl) file that calls rundll32.exe to execute a malicious DLL acting as a loader for the next stage, which is hosted on GitHub.
The next stage is an obfuscated loader that fetches a ZIP file from the same GitHub repository. The archive contains the necessary files to achieve persistence and load the next stage, which in turn loads the Phemedrone Stealer payload.
“Despite having been patched, threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect users with a plethora of malware types, including ransomware and stealers like Phemedrone Stealer,” Trend Micro notes.