A Phemedrone information-stealing malware marketing campaign exploits a Microsoft Defender SmartScreen vulnerability (CVE-2023-36025) to bypass Windows safety prompts when opening URL recordsdata.
Phemedrone is a brand new open-source info-stealer malware that harvests information saved in internet browsers, cryptocurrency wallets, and software program like Discord, Steam, and Telegram. This information is then despatched again to the attackers for use in different malicious actions or to be bought to different menace actors.
The Microsoft Defender flaw exploited within the Phemedrone marketing campaign is CVE-2023-36025, which was mounted throughout the November 2023 Patch Tuesday, the place it was marked as actively exploited in assaults.
“The consumer must click on on a specifically crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker,” explains the CVE-2023-36025 safety bulletin.
Not many particulars had been initially shared concerning the exploitation of CVE-2023-36025 within the wild, however proof-of-concept exploits printed shortly after elevated the danger for unpatched Windows methods.
Trend Micro’s researchers report that the Phemedrone marketing campaign just isn’t the one malware household they’ve seen concentrating on the actual flaw in Windows, with different circumstances involving ransomware.
Bypassing SmartScreen
The attackers host malicious URL recordsdata on reliable cloud providers like Discord and FireTransfer.io and infrequently disguise them utilizing shortener providers like shorturl.at.
Usually, when opening URL recordsdata downloaded from the web or despatched through e mail, Windows SmartScreen will show a warning that opening the file might hurt the pc.
Source: BleepingComputer
However, when the sufferer is tricked into opening one of many malicious URL recordsdata, they exploit the CVE-2023-36095 flaw in Windows SmartScreen in order that this immediate just isn’t proven and the command is executed routinely.
The URL file downloads a management panel merchandise (.cpl) file from the attacker’s management server and executes it, launching a malicious DLL payload through rundll32.exe.
Source: BleepingComputer
The DLL is a PowerShell loader that fetches a ZIP file from a GitHub repository containing the second-stage loader masquerading as a PDF file (Secure.pdf), a respectable Windows binary (WerFaultSecure.exe), and ‘wer.dll,’ utilized in DLL side-loading and to ascertain persistence.
Source: Trend Micro
Once launched on the compromised system, Phemedrone initializes its configuration, decrypts obligatory gadgets, and steals information from focused purposes, utilizing Telegram for information exfiltration.
Trend Micro experiences that Phemedrone targets the next apps/information:
- Chromium browsers: Harvests passwords, cookies, and autofill from browsers and safety apps like LastPass, KeePass, Microsoft Authenticator, and Google Authenticator.
- Gecko browsers: Extracts consumer information from Gecko-based browsers like Firefox.
- Crypto wallets: Extracts information from numerous crypto pockets apps, together with Atom, Armory, Electrum, and Exodus.
- Discord: Gains unauthorized entry by extracting authentication tokens.
- FileGrabber: Collects consumer recordsdata from folders like Documents and Desktop.
- FileZilla: Captures FTP particulars and credentials.
- System information: Gathers {hardware} specs, geolocation, OS particulars, and screenshots.
- Steam: Accesses recordsdata associated to the platform.
- Telegram: Extracts consumer information, specializing in authentication recordsdata within the “tdata” folder.
Source: Trend Micro
Trend Micro has printed the whole listing of indicators of compromise (IoCs) for the newly noticed Phemedrone marketing campaign right here.