Key Takeaways:
- Cybersecurity researchers have identified a Windows Defender SmartScreen bypass vulnerability (CVE-2023-36025) exploited by hackers to deploy the Phemedrone Stealer malware.
- The vulnerability enables cybercriminals to harvest sensitive data from web browsers, cryptocurrency wallets, and messaging apps.
- Hackers persistently exploit the vulnerability to target Windows devices that have not been patched yet.
Cybersecurity researchers have disclosed a serious threat to Windows users, as hackers exploit a Windows Defender SmartScreen bypass vulnerability to deploy the Phemedrone Stealer malware. It could enable hackers to harvest sensitive information (such as cookies, passwords, and authentication tokens) from Windows machines.
The security flaw, which is tracked as CVE-2023-36025, has a CVSS score of 8.8/10. This vulnerability can enable the Phemedrone Stealer malware to steal sensitive information like authentication codes, passwords, and other data from web browsers, cryptocurrency wallets, and messaging apps such as Discord, Telegram, and Stream. It allows hackers to track the operating system data, location, and hardware details of the Windows PC. The stolen data is then transferred through Telegram or sent to a remote command-and-control server.
Cybercriminals may deceive users into downloading and opening a specially crafted internet shortcut file (URL) hosted on cloud services like Discord. This file exploits CVE-2023-36025 to bypass the built-in Windows Defender SmartScreen security protections. Users don’t receive any notification that the downloaded file is from an untrusted source, and their Windows devices become infected with Phemedrone malware.
“Microsoft Windows Defender SmartScreen should warn users with a security prompt before executing the .url file from an untrusted source. However, the attackers craft a Windows shortcut (.url) file to evade the SmartScreen protection prompt by employing a .cpl file as part of a malicious payload delivery mechanism,” Microsoft explained.
Continued exploitation of Windows Defender SmartScreen flaw despite patches
The attacker uses the malicious URL to download a control panel item (.cpl) file, which then calls rundll32.exe to execute a malicious DLL. This DLL acts as a loader for the next stage of the attack, which is fetched from GitHub. In the second stage, a PowerShell loader (DATA3.txt) downloads a ZIP file from the same GitHub repository. This archive contains all the files required to maintain persistence and deploy the Phemedrone Stealer payload.
Fortunately, Microsoft released a security update to address the vulnerability in mid-November 2023. However, hackers are still actively exploiting CVE-2023-36025 to deploy malware on unpatched Windows devices. We invite you to visit this page for a complete list of indicators of compromise (IoCs) related to the Phemedrone Stealer campaign.