Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Information Stealer Exploits Windows SmartScreen Bypass

Attackers exploit a recent Windows SmartScreen bypass vulnerability to deploy the Phemedrone information stealer.

A recent vulnerability in Windows SmartScreen is actively exploited in attacks leading to Phemedrone Stealer infections, cybersecurity firm Trend Micro reports.

The security defect, tracked as CVE-2023-36025 (CVSS score of 8.8), came to light on November 14, 2023, when Microsoft released patches for it and the US cybersecurity agency CISA added it to its Known Exploited Vulnerabilities catalog, based on evidence of in-the-wild exploitation.

According to Microsoft’s advisory, the issue can be exploited by sending a crafted internet shortcut file (URL) to a user and convincing the recipient to click on it.

“The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts,” the tech giant says.

Following the public disclosure, threat actors have been observed demonstrating the exploitation of this bug, various proof-of-concept (PoC) exploits have been released, and numerous threat actors have incorporated exploits for this vulnerability in their attack chains.

Now, Trend Micro reports that a malicious campaign is actively exploiting CVE-2023-36025 to deliver Phemedrone Stealer, a previously unknown malware strain that can harvest a trove of information from the infected systems.

Written in C#, Phemedrone Stealer is available as open source and is actively maintained on GitHub and Telegram.

In addition to stealing data from web browsers, cryptocurrency wallets, and various messaging applications (including Telegram, Steam, and Discord), the threat takes screenshots and gathers systems information, including hardware details and location data.

Advertisement. Scroll to continue reading.

The harvested information is then exfiltrated via Telegram or to the attackers’ command-and-control (C&C) server.

As part of the observed attacks, the malicious URL files exploiting CVE-2023-36025 are hosted on Discord or other cloud services. Once executed, the files download and execute a control panel item (.cpl) file that calls rundll32.exe to execute a malicious DLL acting as a loader for the next stage, which is hosted on GitHub.

The next stage is an obfuscated loader that fetches a ZIP file from the same GitHub repository. The archive contains the necessary files to achieve persistence and load the next stage, which in turn loads the Phemedrone Stealer payload.

“Despite having been patched, threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect users with a plethora of malware types, including ransomware and stealers like Phemedrone Stealer,” Trend Micro notes.

Related: Several Infostealers Using Persistent Cookies to Hijack Google Accounts

Related: Threat Actors Adopt, Modify Open Source ‘SapphireStealer’ Information Stealer

Related: New Information Stealer ‘Mystic Stealer’ Rising to Fame

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.