Beware: New Phemedrone Stealer Exploits Windows SmartScreen Flaw

A recently discovered vulnerability in Windows SmartScreen is being actively exploited in attacks that lead to the infection with the new Phemedrone stealer, warns Trend Micro.

The vulnerability, CVE-2023-36025, scored 8.8 on the CVSS scale and was rectified by Microsoft engineers as part of last year’s November update Tuesday. It was reported that the bug was associated with bypassing Windows Defender SmartScreen’s protection. This vulnerability allows a malicious Internet Shortcut icon to bypass checks and associated security warnings.

“CVE-2023-36025 affects Microsoft Windows Defender SmartScreen and stems from the lack of checks and associated prompts on Internet Shortcut (.url) files. Threat actors can leverage this vulnerability by crafting .url files that download and execute malicious scripts that bypass the Windows Defender SmartScreen warning and checks,” wrote the developers.

Soon after the publication of information about this flaw, hackers were observed utilizing it, and various PoC exploits appeared online, quickly adopted by cybercriminals in their attack chains.

As Trend Micro now reports, a malicious campaign is actively using CVE-2023-36025 to spread the Phemedrone infostealer, previously unknown to researchers. Written in C#, Phemedrone is an open-source malware with active support on GitHub and Telegram.

In addition to stealing data from browsers, cryptocurrency wallets, and various messengers, the malware can take screenshots and gather system information, including data about the victim’s hardware and location. The collected information is then transmitted to the malware operators via Telegram or directly to a control server.

According to Trend Micro, Phemedrone targets the following applications and data:

• Chromium browsers: passwords, cookies, and autofill data from browsers and applications like LastPass, KeePass, Microsoft Authenticator, and Google Authenticator;
• Gecko browsers: user data from Gecko-based browsers, such as Firefox;
• Crypto wallets: data from various cryptocurrency applications, including Atom, Armory, Electrum, and Exodus;
• Discord: unauthorized access to the messenger for extracting authentication tokens;
• FileGrabber: user files from folders such as Documents and Desktop;
• FileZilla: FTP data and credentials;
• System information: hardware data, geolocation, operating system details, and screenshots;
• Steam: files associated with the platform;
• Telegram: user data, especially authentication files in the tdata folder.

In the observed attacks, malicious URL files exploiting CVE-2023-36025 were placed in Discord or other cloud services, with links often disguised using URL shortening services. Upon execution, these files download and run a .cpl file on the victim’s system, which calls rundll32.exe to execute a malicious DLL from GitHub, acting as a loader for the next stage.

The next element of the attack is an obfuscated loader, which retrieves a ZIP archive from the same GitHub repository. The archive contains all necessary files for the malware to establish itself in the system and proceed to the next stage, delivering the final payload of the Phemedrone stealer.