Windows SmartScreen flaw exploited to drop Phemedrone malware

A Phemedrone information-stealing malware campaign exploits a Microsoft Defender SmartScreen vulnerability to bypass Windows security prompts when opening URL files.
Phemedrone is a new open-source info-stealer malware that harvests data stored in web browsers, cryptocurrency wallets, and software like Discord, Steam, and Telegram.
The Microsoft Defender flaw exploited in the Phemedrone campaign is CVE-2023-36025, which was fixed during the November 2023 Patch Tuesday, where it was marked as actively exploited in attacks.
Not many details were initially shared about the exploitation of CVE-2023-36025 in the wild, but proof-of-concept exploits published shortly after elevated the risk for unpatched Windows systems.
Trend Micro's researchers report that the Phemedrone campaign is not the only malware family they've seen targeting the particular flaw in Windows, with other cases involving ransomware.
The attackers host malicious URL files on trustworthy cloud services like Discord and FireTransfer.io and often disguise them using shortener services like shorturl.
Usually, when opening URL files downloaded from the internet or sent via email, Windows SmartScreen will display a warning that opening the file could harm the computer.
When the victim is tricked into opening one of the malicious URL files, they exploit the CVE-2023-36095 flaw in Windows SmartScreen so that this prompt is not shown and the command is executed automatically.
The URL file downloads a control panel item file from the attacker's control server and executes it, launching a malicious DLL payload via rundll32.
The DLL is a PowerShell loader that fetches a ZIP file from a GitHub repository containing the second-stage loader masqueraded as a PDF file, a legitimate Windows binary, and 'wer.
Once launched on the compromised system, Phemedrone initializes its configuration, decrypts necessary items, and steals data from targeted applications, using Telegram for data exfiltration.
Gecko browsers: Extracts user data from Gecko-based browsers like Firefox.
Crypto wallets: Extracts data from various crypto wallet apps, including Atom, Armory, Electrum, and Exodus.
FileGrabber: Collects user files from folders like Documents and Desktop.
Trend Micro has published the complete list of indicators of compromise for the newly observed Phemedrone campaign here.
Lumma Stealer malware now uses trigonometry to evade detection.
Malware abuses Google OAuth endpoint to 'revive' cookies, hijack accounts.
Rhadamanthys Stealer malware evolves with more powerful features.
Atomic Stealer malware strikes macOS via fake browser updates.
Google: Malware abusing API is standard token theft, not an API issue.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 15 Jan 2024 18:35:52 +0000


Cyber News related to Windows SmartScreen flaw exploited to drop Phemedrone malware

Windows SmartScreen flaw exploited to drop Phemedrone malware - A Phemedrone information-stealing malware campaign exploits a Microsoft Defender SmartScreen vulnerability to bypass Windows security prompts when opening URL files. Phemedrone is a new open-source info-stealer malware that harvests data stored in ...
10 months ago Bleepingcomputer.com
Data-theft malware exploits Windows Defender SmartScreen The Register - Criminals are exploiting a Windows Defender SmartScreen bypass vulnerability to infect PCs with Phemedrone Stealer, a malware strain that scans machines for sensitive information - passwords, cookies, authentication tokens, you name it - to grab and ...
10 months ago Go.theregister.com
Hackers abuse Windows SmartScreen flaw to drop DarkGate malware - A new wave of attacks by the DarkGate malware operation exploits a now-fixed Windows Defender SmartScreen vulnerability to bypass security checks and automatically install fake software installers. SmartScreen is a Windows security feature that ...
8 months ago Bleepingcomputer.com
Hackers exploit Windows SmartScreen flaw to drop DarkGate malware - A new wave of attacks by the DarkGate malware operation exploits a now-fixed Windows Defender SmartScreen vulnerability to bypass security checks and automatically install fake software installers. SmartScreen is a Windows security feature that ...
8 months ago Bleepingcomputer.com
Hackers Exploiting Windows Defender SmartScreen Flaw - Hackers actively target and exploit Windows Defender SmartScreen to deceive users and deliver malicious content by creating convincing, misleading websites or applications. By evading SmartScreen, the threat actors increase the chances of their ...
10 months ago Cybersecuritynews.com
Types of Malware and How To Prevent Them - Malware is one of the biggest security threats to any type of technological device, and each type of malware uses unique tactics for successful invasions. Even if you've downloaded a VPN for internet browsing, our in-depth guide discusses the 14 ...
4 months ago Pandasecurity.com
MacOS info-stealers quickly evolve to evade XProtect detection - Multiple information stealers for the macOS platform have demonstrated the capability to evade detection even when security companies follow and report about new variants frequently. A report by SentinelOne highlights the problem through three ...
10 months ago Bleepingcomputer.com
PixPirate: The Brazilian financial malware you can't see, part one - The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan malware that heavily utilizes anti-research techniques. Within IBM Trusteer, we saw several different ...
9 months ago Securityintelligence.com
How to Remove Malware + Viruses - Malware removal can seem daunting after your device is infected with a virus, but with a careful and rapid response, removing a virus or malware program can be easier than you think. We created a guide that explains exactly how to rid your Mac or PC ...
7 months ago Pandasecurity.com
Fake AV websites used to distribute info-stealer malware - Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. Threat actors actively ...
5 months ago Securityaffairs.com
Fake AV websites used to distribute info-stealer malware - CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog. Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 ...
5 months ago Securityaffairs.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
6 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
6 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
6 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
6 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
6 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
6 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
6 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
6 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
6 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
6 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
6 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
6 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
6 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
6 months ago Cybersecurity-insiders.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)