Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Phemedrone info stealer campaign exploits Windows smartScreen bypass

Threat actors exploit a recent Windows SmartScreen bypass flaw CVE-2023-36025 to deliver the Phemedrone info stealer. Trend Micro researchers uncovered a malware campaign exploiting the vulnerability CVE-2023-36025 (CVSS score 8.8) to deploy a previously unknown strain of the malware dubbed Phemedrone Stealer. The vulnerability was addressed by Microsoft with the release of Patch Tuesday security updates for […]

Phemedrone info stealer

Threat actors exploit a recent Windows SmartScreen bypass flaw CVE-2023-36025 to deliver the Phemedrone info stealer.

Trend Micro researchers uncovered a malware campaign exploiting the vulnerability CVE-2023-36025 (CVSS score 8.8) to deploy a previously unknown strain of the malware dubbed Phemedrone Stealer.

The vulnerability was addressed by Microsoft with the release of Patch Tuesday security updates for November 2023. The vulnerability is a Windows SmartScreen Security Feature Bypass issue.

An attacker can exploit this flaw to bypass Windows Defender SmartScreen checks and other prompts. This flaw can be exploited in phishing campaigns to evade user prompts that warn recipients about opening a malicious document.

After public disclosure of the vulnerability, multiple demos and proof-of-concept codes have been published on social media. Experts noticed that a growing number of malware campaigns have included the exploit for this flaw into their attack chains. 

Phemedrone Stealer allows operators to steal sensitive data from web browsers and cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord. The malware supports multuple capabilities, including taking screenshots and gathering system information regarding hardware, location, and operating system details.

The stolen data is exfiltrated via Telegram or their C2 server. The malware is written in C#, its authors actively maintain the malicious code on GitHub and Telegram. 

“Once the malicious .url file exploiting CVE-2023-36025 is executed, it connects to an attacker-controlled server to download and execute a control panel item (.cpl) file. Microsoft Windows Defender SmartScreen should warn users with a security prompt before executing the .url file from an untrusted source.” reads the report published by Trend Micro. “However, the attackers craft a Windows shortcut (.url) file to evade the SmartScreen protection prompt by employing a .cpl file as part of a malicious payload delivery mechanism.”

Phemedrone info stealer

The malicious URL files exploiting CVE-2023-36025 reference Discord or other cloud services. Upon executing the files, a control panel item (.cpl) file is downloaded and executed. Then it calls rundll32.exe to execute a malicious DLL acting as a loader for the next stage, a malicious script hosted on GitHub.

The next stage is an obfuscated loader that fetches a ZIP archive from the same GitHub repository to a hidden directory created using the Windows attribute utility binary (attrib.exe).   

The archive contains the files to load the next stage and maintain persistence. The next stage loads the Phemedrone Stealer payload.

“Despite having been patched, threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect users with a plethora of malware types, including ransomware and stealers like Phemedrone Stealer.” concludes the report.  “Malware strains such as Phemedrone Stealer highlight the evolving nature of sophisticated malware threats and malicious actors’ ability to quickly enhance their infection chains by adding new exploits for critical vulnerabilities in everyday software.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Phemedrone)