Security
Headlines
HeadlinesLatestCVEs

Headline

Windows Defender SmartScreen Vulnerability Exploited with Phemedrone Stealer

By Deeba Ahmed Attackers Leveraging Windows Vulnerability in Phemedrone Malware Campaign for Enhanced Stealth. This is a post from HackRead.com Read the original post: Windows Defender SmartScreen Vulnerability Exploited with Phemedrone Stealer

HackRead
#vulnerability#web#windows#microsoft#git#pdf#oauth#auth

The vulnerability was patched on November 14, 2023, but the Cybersecurity and Infrastructure Security Agency (CISA) added it to the Known Exploited Vulnerabilities (KEV) list due to evidence of in-the-wild exploitation.

The vulnerability was patched on November 14, 2023, but the Cybersecurity and Infrastructure Security Agency (CISA) added it to the Known Exploited Vulnerabilities (KEV) list due to evidence of in-the-wild exploitation. Since its discovery, numerous malware campaigns, including the Phemedrone Stealer payload, have exploited it in their attack chains.

Cybersecurity researchers at Trend Micro have discovered that a vulnerability affecting Microsoft Windows Defender SmartScreen, tracked as CVE-2023-36025, is being exploited to infect users with Phemedrone Stealer.

For your information, Windows Defender SmartScreen is a built-in security feature in Microsoft Windows 8 and later that helps protect users from malicious websites, downloads, and applications. It acts as a first line of defence against a variety of threats, including phishing websites, malicious downloads and untrusted applications.

This open-source malware strain targets web browsers, cryptocurrency wallets, and messaging apps like Telegram, Steam, and Discord. Its additional capabilities allow the malware to take screenshots gather system information such as hardware details and location data and send stolen data to attackers via Telegram or their C2 server. Phemedrone Stealer is maintained on GitHub and Telegram.

Reportedly, hackers use social media to spread URL files that appear as harmless link shortcuts, which are then downloaded and run by clicking on them. The infection process begins with an attacker hosting malicious Internet Shortcut files on cloud services like Discord or FileTransfer.io, disguised using URL shorteners like shorturl.at. An unsuspecting user may be tricked into opening a maliciously crafted.url file that exploits CVE-2023-36025.

The attackers craft a Windows shortcut (.url) file to evade the SmartScreen protection prompt by employing a .cpl file as part of a malicious payload delivery mechanism. The.cpl file is executed through the Windows Control Panel process binary, calling rundll32.exe to execute a malicious DLL.

The malware, hosted on GitHub, downloads a ZIP file containing three files: WerFaultSecure.exe, Wer.dll, and Secure.pdf. The wer.dll file is crucial for the loader’s functionality. The attacker executes the loader using DLL sideloading, spoofing a malicious DLL file in the application’s directory.

The DATA3.txt file masks its contents, making deciphering its purpose difficult. The malware collects system information, compresses it into a ZIP file, and sends the compressed data to the attacker via SendMessage and SendZip methods. Through techniques like API hashing and string encryption, the malware evades detection and complicates reverse engineering.

CVE-2023-36025, having a CVSS score of 8.8, affects Microsoft Windows Defender SmartScreen because of its lack of checks on Internet Shortcut files, allowing attackers to create.url files and execute malicious scripts.

The vulnerability was patched on November 14, 2023, but the Cybersecurity and Infrastructure Security Agency (CISA) added it to the Known Exploited Vulnerabilities (KEV) list due to evidence of in-the-wild exploitation. Since its discovery, numerous malware campaigns, including the Phemedrone Stealer payload, have exploited it in their attack chains.

To stay protected, developers should regularly update their operating systems, apps, and security solutions, be cautious with Internet Shortcut files, and implement advanced solutions like real-time monitoring and threat detection capabilities.

****RELATED ARTICLES****

  1. Microsoft Disables App Installer After Feature is Abused for Malware
  2. Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group
  3. EvilProxy Phishing Kit Targets Microsoft Users via Indeed.com Vulnerability
  4. Microsoft: Storm-1283 Sent 927k Phishing Emails with Malicious OAuth Apps
  5. Scammers Use Fake Ledger App on Microsoft Store to Steal $800k in Crypto

Related news

Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits

Microsoft on Tuesday shipped fixes to address a total of 90 security flaws, including 10 zero-days, of which six have come under active exploitation in the wild. Of the 90 bugs, seven are rated Critical, 79 are rated Important, and one is rated Moderate in severity. This is also in addition to 36 vulnerabilities that the tech giant resolved in its Edge browser since last month. The Patch Tuesday

Fat Patch Tuesday, February 2024 Edition

Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.

Beware: Fake Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal Crypto and Credentials

Threat actors are leveraging bogus Facebook job advertisements as a lure to trick prospective targets into installing a new Windows-based stealer malware codenamed Ov3r_Stealer. "This malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors," Trustwave SpiderLabs said in a report shared with The Hacker News. Ov3r_Stealer

New Mispadu Banking Trojan Exploiting Windows SmartScreen Flaw

The threat actors behind the Mispadu banking Trojan have become the latest to exploit a now-patched Windows SmartScreen security bypass flaw to compromise users in Mexico. The attacks entail a new variant of the malware that was first observed in 2019, Palo Alto Networks Unit 42 said in a report published last week. Propagated via phishing mails, Mispadu is a Delphi-based information stealer

Mispadu Stealer’s New Variant Targets Browser Data of Mexican Users

By Waqas The new variant of Mispadu Stealer was discovered by Palo Alto's Unit 42 researchers while investigating the Windows Defender SmartScreen vulnerability. This is a post from HackRead.com Read the original post: Mispadu Stealer’s New Variant Targets Browser Data of Mexican Users

November 2023 – January 2024: New Vulristics Features, 3 Months of Microsoft Patch Tuesdays and Linux Patch Wednesdays, Year 2023 in Review

Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done. Alternative video link (for Russia): https://vk.com/video-149273431_456239139 Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and […]

Hackers Weaponize Windows Flaw to Deploy Crypto-Siphoning Phemedrone Stealer

Threat actors have been observed leveraging a now-patched security flaw in Microsoft Windows to deploy an open-source information stealer called Phemedrone Stealer. “Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord,” Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun said. “It also

Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware

A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the Nim programming language. "Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers' unfamiliarity can hamper their investigation," Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara

Update now! Microsoft patches 3 actively exploited zero-days

Microsoft has patched a total of 63 vulnerabilities this Patch Tuesday. Make sure you update as soon as you can.

Alert: Microsoft Releases Patch Updates for 5 New Zero-Day Vulnerabilities

Microsoft has released fixes to address 63 security bugs in its software for the month of November 2023, including three vulnerabilities that have come under active exploitation in the wild. Of the 63 flaws, three are rated Critical, 56 are rated Important, and four are rated Moderate in severity. Two of them have been listed as publicly known at the time of the release. The updates are in

Microsoft Patch Tuesday, November 2023 Edition

Microsoft today released updates to fix more than five dozen security holes in its Windows operating systems and related software, including three "zero day" vulnerabilities that Microsoft warns are already being exploited in active attacks.

Microsoft discloses only three critical vulnerabilities in November’s Patch Tuesday update, three other zero-days

In all, this set of vulnerabilities Microsoft patched includes 57 vulnerabilities, 54 of which are considered “important.”

CVE-2023-36025

Windows SmartScreen Security Feature Bypass Vulnerability