Criminals are exploiting a Windows Defender SmartScreen bypass vulnerability to infect PCs with Phemedrone Stealer, a malware strain that scans machines for sensitive information - passwords, cookies, authentication tokens, you name it - to grab and leak.
The malware abuses CVE-2023-36025, which Microsoft patched in November.
Specifically, the flaw allows Phemedrone and other malicious software to sidestep protections in Windows that are supposed to help users avoid running hostile code.
Now that everyone knows how to attack systems using this vulnerability, update your Windows machines to close off this avenue if you haven't already.
In research published today, Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun detail the Phemedrone info-stealer, including how it works, how it uses CVE-2023-36025 to infect a PC, and how to detect its presence on a network.
We're told the malware targets a ton of browsers and applications on victims' PCs, lifting sensitive info from files of interest and sending the data to fraudsters to exploit.
Phemedrone looks for things like passwords, cookies, and autofill information to exfiltrate; once this data is in the hands of the malware's operators, it can be used to log into the victims' online accounts and cause all sorts of damage and strife.
The code also steals files and other user data from several cryptocurrency wallets and messaging apps including Discord and Telegram, and login details for the Steam gaming platform.
Miscreants infect victims' machines with Phemedrone by tricking marks into downloading and opening a malicious.
That file exploits CVE-2023-36025 to evade the Windows SmartScreen as it downloads and opens a.cpl file, which is a Windows control panel item.
The user doesn't get a chance to be warned by SmartScreen that the.
Url file is from an untrusted source and what they are doing is dangerous and should be blocked.
CVE-2023-36025 affects Microsoft Windows Defender SmartScreen and stems from the lack of checks and associated prompts on Internet Shortcut files.
Url files that download and execute malicious scripts that bypass the Windows Defender SmartScreen warning and checks.
Microsoft Windows Defender SmartScreen should warn users with a security prompt before executing the.
The attackers craft a Windows shortcut file to evade the SmartScreen protection prompt by employing a.cpl file as part of a malicious payload delivery mechanism.
Url is really a.dll, and this begins executing when the control panel item is opened by the Windows Control Panel.
Exe, which is a legitimate Windows Fault Reporting binary.
Throughout the process, the malware uses several obfuscation techniques to mask its contents and evade detection.
Again, if you didn't do so in November, it's high time to update your Windows installations or risk becoming the next victim of these data thieves.
This Cyber News was published on go.theregister.com. Publication date: Sat, 13 Jan 2024 00:13:04 +0000