Cybersecurity experts have recently exposed a significant threat to digital security, revealing the active exploitation of CVE-2023-36025. This exploitation has allowed the emergence of a new and potent strain of malware named Phemedrone Stealer.
Phemedrone Stealer’s Targets and Data Collection
This malware is designed with a specific focus on web browsers, aiming to extract sensitive information from cryptocurrency wallets and popular messaging applications like Telegram, Steam, and Discord.
- Explicit targeting of web browsers
- Data collection from cryptocurrency wallets and messaging apps
Furthermore, Phemedrone is adept at gathering comprehensive system information, including hardware details and location. The stolen data is then discreetly transmitted to the attackers through the encrypted channels of Telegram or their command-and-control (C2) server.
Vulnerability Impacting Windows Defender SmartScreen
The root cause of this security breach lies in a vulnerability affecting Microsoft Windows Defender SmartScreen. This vulnerability stems from inadequate checks on Internet Shortcut (.url) files.
- Impact on Windows Defender SmartScreen
- Inadequate checks on Internet Shortcut (.url) files
Threat actors exploit this vulnerability by creating .url files capable of downloading and executing malicious scripts, effectively bypassing Windows Defender SmartScreen warnings.
Microsoft’s Response and CISA Inclusion
Microsoft took action to address this vulnerability on November 14, 2023. Despite this, the exploitation in the wild prompted the Cybersecurity and Infrastructure Security Agency (CISA) to promptly include it in the Known Exploited Vulnerabilities (KEV) list on the same day.
- Microsoft’s response on November 14, 2023
- CISA’s inclusion in the Known Exploited Vulnerabilities (KEV) list
Evidence indicates that since its discovery, various malware campaigns, including those distributing the Phemedrone Stealer payload, have incorporated this vulnerability into their attack chains.
Attack Vector and Evasion Techniques
The primary attack vector involves hosting malicious .url files on cloud services such as Discord or FileTransfer.io. Attackers employ URL shorteners to disguise these files effectively.
- Hosting on cloud services like Discord
- Use of URL shorteners for disguise
Once the malicious .url file exploiting CVE-2023-36025 is executed, Phemedrone employs advanced defense evasion techniques, including DLL sideloading and dynamic API resolving, to obfuscate its presence. Persistence is achieved through the creation of scheduled tasks and the utilization of an encrypted second-stage loader.
The unfolding saga of the Phemedrone Stealer takes a more intricate turn in its second stage, deploying an open-source shellcode named Donut. This strategic move empowers the malware to execute various file types directly in the volatile realm of computer memory.
Dynamics of Targeting and Information Extraction
This malware exhibits dynamic targeting capabilities, honing in on a diverse array of applications and services. The extraction process is not limited; it delves into browsers, cryptocurrency wallets, and platforms such as Discord, FileZilla, and Steam.
- Utilization of open-source shellcode Donut
- Execution of various file types in memory
- Dynamic targeting of a broad range of applications and services
During this phase, Phemedrone Stealer adeptly extracts sensitive information, including credentials crucial for its malevolent agenda.
Data Exfiltration Mastery
The malware showcases sophistication in its data exfiltration process, employing an elaborate method to compress and transmit the harvested data. The chosen conduit for this operation is the Telegram API, ensuring both efficiency and stealth.
- Compression of harvested data
- Transmission through the Telegram API
- Validation of Telegram API token for data integrity
- Detailed system information report sent to attackers
This meticulous approach not only safeguards the integrity of the transmitted data but also provides the attackers with a comprehensive system information report, enriching their understanding of the compromised system.
Persistent Exploitation Despite Patch
Despite Microsoft’s efforts in issuing a patch for CVE-2023-36025, the threat landscape remains grim. Trend Micro reports that threat actors persist in exploiting this vulnerability, underscoring the urgency for organizations to take swift action.
“Organizations must prioritize updating Microsoft Windows installations to thwart exposure to the Microsoft Windows Defender SmartScreen Bypass,” emphasizes the advisory.
“The existence of public proof-of-concept exploit code on the web elevates the risk for organizations lagging behind in adopting the latest patched version.”
