Hackers Exploiting Windows Defender SmartScreen Flaw

Hackers actively target and exploit Windows Defender SmartScreen to deceive users and deliver malicious content by creating convincing, misleading websites or applications.
By evading SmartScreen, the threat actors increase the chances of their malicious content being executed on users' systems to compromise security.
This exploitation often involves the use of social engineering tactics to deceive users and bypass the protective features of SmartScreen.
CVE-2023-36025 in Microsoft Windows Defender SmartScreen allows threat actors to exploit.
The demo codes on social media revealed their use in malware campaigns, including one with a Phemedrone Stealer payload.Free Webinar.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month.
To initiate Phemedrone Stealer, threat actors place malicious Internet Shortcut files on Discord or cloud services that are often disguised with URL shorteners.
Exploiting CVE-2023-36025 makes the users unknowingly open crafted.
Url files, which help in evading Windows Defender SmartScreen.
Executing the file connects to the attacker's server, downloading and executing a control panel item using a Windows shortcut to bypass SmartScreen.
002 the hackers use the Windows Control Panel process to execute a malicious DLL that acts as a loader.
Researchers discovered that the PowerShell commands led to the download of a ZIP file from GitHub containing three files.
Dll file decrypts the second stage loader for persistence by creating scheduled tasks.
Techniques like API hashing, string encryption, and VMProtect enhance the evasion mechanism.
The loader sideloads using DLL spoofing which is executed by WerFaultSecure.
Dynamic API resolves the hidden imports using CRC-32 hashing.
Pdf, decrypted using SystemFunction032 for RC4 decryption.
API callback functions redirect execution flow to the second stage by utilizing the CryptCATCDFOpen with the second stage's Entry Point.
The attacker deployed the Donut second-stage loader, an open-source shellcode enabling the execution of various file types in memory.
This case represents the connection between open-source malware and public exploits, highlighting the need for timely software updates and implementations of robust security solutions.


This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 16 Jan 2024 13:25:04 +0000


Cyber News related to Hackers Exploiting Windows Defender SmartScreen Flaw

Data-theft malware exploits Windows Defender SmartScreen The Register - Criminals are exploiting a Windows Defender SmartScreen bypass vulnerability to infect PCs with Phemedrone Stealer, a malware strain that scans machines for sensitive information - passwords, cookies, authentication tokens, you name it - to grab and ...
10 months ago Go.theregister.com
Hackers Exploiting Windows Defender SmartScreen Flaw - Hackers actively target and exploit Windows Defender SmartScreen to deceive users and deliver malicious content by creating convincing, misleading websites or applications. By evading SmartScreen, the threat actors increase the chances of their ...
10 months ago Cybersecuritynews.com
Hackers abuse Windows SmartScreen flaw to drop DarkGate malware - A new wave of attacks by the DarkGate malware operation exploits a now-fixed Windows Defender SmartScreen vulnerability to bypass security checks and automatically install fake software installers. SmartScreen is a Windows security feature that ...
8 months ago Bleepingcomputer.com
Hackers exploit Windows SmartScreen flaw to drop DarkGate malware - A new wave of attacks by the DarkGate malware operation exploits a now-fixed Windows Defender SmartScreen vulnerability to bypass security checks and automatically install fake software installers. SmartScreen is a Windows security feature that ...
8 months ago Bleepingcomputer.com
Reverse, Reveal, Recover: Windows Defender Quarantine Forensics - Windows Defender places malicious files into quarantine upon detection. Fox-IT's open-source digital forensics and incident response framework Dissect can now recover this metadata, in addition to recovering quarantined files from the Windows ...
11 months ago Blog.fox-it.com
Attackers Exploit Microsoft Security-Bypass Zero-Day Bugs - Microsoft's scheduled Patch Tuesday security update for February includes fixes for two zero-day security vulnerabilities under active attack, plus 71 other flaws across a wide range of its products. In all, five of the vulnerabilities for which ...
9 months ago Darkreading.com
​​Microsoft named as a Leader in three IDC MarketScapes for Modern Endpoint Security 2024 - With these security concerns top of mind, there is no surprise that in the last five years, the Modern Endpoint Security market has nearly tripled in size to defend against emerging, sophisticated, and persistent threats. Microsoft Defender for ...
8 months ago Techcommunity.microsoft.com
Windows SmartScreen flaw exploited to drop Phemedrone malware - A Phemedrone information-stealing malware campaign exploits a Microsoft Defender SmartScreen vulnerability to bypass Windows security prompts when opening URL files. Phemedrone is a new open-source info-stealer malware that harvests data stored in ...
10 months ago Bleepingcomputer.com
Microsoft deprecates Defender Application Guard for Office - Microsoft is deprecating Defender Application Guard for Office and the Windows Security Isolation APIs, and it recommends Defender for Endpoint attack surface reduction rules, Protected View, and Windows Defender Application Control as an ...
11 months ago Bleepingcomputer.com
Microsoft Defender adds detection of unsecure Wi-Fi networks - If you're not a Microsoft Defender user with a Microsoft 365 Family or Personal subscription, you can also protect yourself by enabling multi-factor authentication on as many of your accounts as possible and turning off automatic Wi-Fi connections to ...
1 month ago Bleepingcomputer.com
Exploitation of Windows SmartScreen Bypass Flaw Facilitates Deployment of DarkGate RAT - The operators behind the DarkGate malware have been taking advantage of a recently patched flaw in Windows SmartScreen through a phishing scheme. This campaign involves circulating counterfeit Microsoft software installers to spread the malicious ...
8 months ago Cysecurity.news
Critical Apache Log4j2 flaw still threatens global finance - Critical Apache Log4j2 flaw still threatens global finance. CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. Russia-linked APT28 used post-compromise ...
5 months ago Securityaffairs.com
Industrial Defender Risk Signal, a Risk-Based Vulnerability Management Solution for OT Security - PRESS RELEASE. FOXBOROUGH, Mass. , Jan. 3, 2024 /PRNewswire/ - Industrial Defender, the leading provider of OT asset data and cybersecurity solutions for industrial organizations, is excited to announce the launch of the Industrial Defender Risk ...
10 months ago Darkreading.com
Microsoft Copilot for Security provides immediate impact for the Microsoft Defender Experts team - AI is quickly becoming a force multiplier-presenting significant opportunities for security teams to increase productivity, save time, upskill resources, and more. Microsoft Copilot for Security is already showing immediate impact for security teams ...
9 months ago Microsoft.com
Shield Your Documents: Introducing DocLink Defender for Real-Time Malware Blockade - Innovative Real-Time Protection: DocLink Defender leverages the latest in analytical technology to intercept and neutralize malicious documents instantly. Proven Defense Against Advanced Threats: Showcasing its prowess, DocLink Defender has a track ...
8 months ago Blog.checkpoint.com
Netography Fusion Expands Microsoft Integrations for Greater Context Enrichment and Faster Compromise Detection - We've got great news for companies that have deployed Microsoft security products in their tech stack - the Netography Fusion® Network Defense Platform now ingests context from Microsoft Defender for Endpoint product and the Microsoft Defender XDR ...
10 months ago Securityboulevard.com
Microsoft Defender Isolates Compromised Linux Endpoints - Microsoft announced today that it has added device isolation support to Microsoft Defender for Endpoint on Linux devices. Enterprise admins can manually isolate Linux machines enrolled in a public preview using the Microsoft 365 Defender portal or ...
1 year ago Bleepingcomputer.com
Russian hackers exploiting Outlook bug to hijack Exchange accounts - Microsoft's Threat Intelligence team issued a warning earlier today about the Russian state-sponsored actor APT28 actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information. The targeted ...
11 months ago Bleepingcomputer.com
Critical unauthenticated RCE flaw in OpenSSH server - MUST READ. Critical unauthenticated remote code execution flaw in OpenSSH server. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds Oracle WebLogic Server flaw to its Known Exploited Vulnerabilities ...
4 months ago Securityaffairs.com
Microsoft launches Defender Bounty Program with $20,000 rewards - Microsoft has unveiled a new bug bounty program aimed at the Microsoft Defender security platform, with rewards between $500 and $20,000. While higher awards are possible, Microsoft retains sole discretion to determine the final reward amount based ...
11 months ago Bleepingcomputer.com
CERT-UA warns of malware campaign conducted by threat actor UAC-0006 - Threat actors may have exploited a zero-day in older iPhones, Apple warns. Microsoft fixed two zero-day bugs exploited in malware attacks. Threat actors actively exploit JetBrains TeamCity flaws to deliver malware. Recent DarkGate campaign exploited ...
5 months ago Securityaffairs.com
Windows 10 Extended Security Updates Promised for Small Businesses and Home Users - Already common for enterprises, for the first time, individuals will also get the option to pay for extended security updates for a Windows operating system that's out of support. Windows 10 will stop getting free updates, including security fixes, ...
11 months ago Techrepublic.com
Google links WinRAR exploitation to Russian, Chinese state hackers - Google says that several state-backed hacking groups have joined ongoing attacks exploiting a high-severity vulnerability in WinRAR, a compression software used by over 500 million users, aiming to gain arbitrary code execution on targets' systems. ...
11 months ago Bleepingcomputer.com
Financially motivated threat actors misusing App Installer - Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme to distribute malware. In ...
10 months ago Microsoft.com
Threat actors actively exploit D-Link DIR-859 router flaw - MUST READ. Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities ...
4 months ago Securityaffairs.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)