A Phemedrone information-stealing malware campaign exploits a Microsoft Defender SmartScreen vulnerability to bypass Windows security prompts when opening URL files.
Phemedrone is a new open-source info-stealer malware that harvests data stored in web browsers, cryptocurrency wallets, and software like Discord, Steam, and Telegram.
The Microsoft Defender flaw exploited in the Phemedrone campaign is CVE-2023-36025, which was fixed during the November 2023 Patch Tuesday, where it was marked as actively exploited in attacks.
Not many details were initially shared about the exploitation of CVE-2023-36025 in the wild, but proof-of-concept exploits published shortly after elevated the risk for unpatched Windows systems.
Trend Micro's researchers report that the Phemedrone campaign is not the only malware family they've seen targeting the particular flaw in Windows, with other cases involving ransomware.
The attackers host malicious URL files on trustworthy cloud services like Discord and FireTransfer.io and often disguise them using shortener services like shorturl.
Usually, when opening URL files downloaded from the internet or sent via email, Windows SmartScreen will display a warning that opening the file could harm the computer.
When the victim is tricked into opening one of the malicious URL files, they exploit the CVE-2023-36095 flaw in Windows SmartScreen so that this prompt is not shown and the command is executed automatically.
The URL file downloads a control panel item file from the attacker's control server and executes it, launching a malicious DLL payload via rundll32.
The DLL is a PowerShell loader that fetches a ZIP file from a GitHub repository containing the second-stage loader masqueraded as a PDF file, a legitimate Windows binary, and 'wer.
Once launched on the compromised system, Phemedrone initializes its configuration, decrypts necessary items, and steals data from targeted applications, using Telegram for data exfiltration.
Gecko browsers: Extracts user data from Gecko-based browsers like Firefox.
Crypto wallets: Extracts data from various crypto wallet apps, including Atom, Armory, Electrum, and Exodus.
FileGrabber: Collects user files from folders like Documents and Desktop.
Trend Micro has published the complete list of indicators of compromise for the newly observed Phemedrone campaign here.
Lumma Stealer malware now uses trigonometry to evade detection.
Malware abuses Google OAuth endpoint to 'revive' cookies, hijack accounts.
Rhadamanthys Stealer malware evolves with more powerful features.
Atomic Stealer malware strikes macOS via fake browser updates.
Google: Malware abusing API is standard token theft, not an API issue.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 15 Jan 2024 18:35:52 +0000