Windows Defender SmartScreen Vulnerability Exploited with Phemedrone Stealer

The vulnerability was patched on November 14, 2023, but the Cybersecurity and Infrastructure Security Agency (CISA) added it to the Known Exploited Vulnerabilities (KEV) list due to evidence of in-the-wild exploitation.

The vulnerability was patched on November 14, 2023, but the Cybersecurity and Infrastructure Security Agency (CISA) added it to the Known Exploited Vulnerabilities (KEV) list due to evidence of in-the-wild exploitation. Since its discovery, numerous malware campaigns, including the Phemedrone Stealer payload, have exploited it in their attack chains.

Cybersecurity researchers at Trend Micro have discovered that a vulnerability affecting Microsoft Windows Defender SmartScreen, tracked as CVE-2023-36025, is being exploited to infect users with Phemedrone Stealer.

For your information, Windows Defender SmartScreen is a built-in security feature in Microsoft Windows 8 and later that helps protect users from malicious websites, downloads, and applications. It acts as a first line of defence against a variety of threats, including phishing websites, malicious downloads and untrusted applications.

This open-source malware strain targets web browsers, cryptocurrency wallets, and messaging apps like Telegram, Steam, and Discord. Its additional capabilities allow the malware to take screenshots gather system information such as hardware details and location data and send stolen data to attackers via Telegram or their C2 server. Phemedrone Stealer is maintained on GitHub and Telegram.

Reportedly, hackers use social media to spread URL files that appear as harmless link shortcuts, which are then downloaded and run by clicking on them. The infection process begins with an attacker hosting malicious Internet Shortcut files on cloud services like Discord or FileTransfer.io, disguised using URL shorteners like shorturl.at. An unsuspecting user may be tricked into opening a maliciously crafted.url file that exploits CVE-2023-36025.

The attackers craft a Windows shortcut (.url) file to evade the SmartScreen protection prompt by employing a .cpl file as part of a malicious payload delivery mechanism. The.cpl file is executed through the Windows Control Panel process binary, calling rundll32.exe to execute a malicious DLL.

The malware, hosted on GitHub, downloads a ZIP file containing three files: WerFaultSecure.exe, Wer.dll, and Secure.pdf. The wer.dll file is crucial for the loader’s functionality. The attacker executes the loader using DLL sideloading, spoofing a malicious DLL file in the application’s directory.

The DATA3.txt file masks its contents, making deciphering its purpose difficult. The malware collects system information, compresses it into a ZIP file, and sends the compressed data to the attacker via SendMessage and SendZip methods. Through techniques like API hashing and string encryption, the malware evades detection and complicates reverse engineering.

CVE-2023-36025, having a CVSS score of 8.8, affects Microsoft Windows Defender SmartScreen because of its lack of checks on Internet Shortcut files, allowing attackers to create.url files and execute malicious scripts.

The vulnerability was patched on November 14, 2023, but the Cybersecurity and Infrastructure Security Agency (CISA) added it to the Known Exploited Vulnerabilities (KEV) list due to evidence of in-the-wild exploitation. Since its discovery, numerous malware campaigns, including the Phemedrone Stealer payload, have exploited it in their attack chains.

To stay protected, developers should regularly update their operating systems, apps, and security solutions, be cautious with Internet Shortcut files, and implement advanced solutions like real-time monitoring and threat detection capabilities.

****RELATED ARTICLES****

1. Microsoft Disables App Installer After Feature is Abused for Malware
2. Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group
3. EvilProxy Phishing Kit Targets Microsoft Users via Indeed.com Vulnerability
4. Microsoft: Storm-1283 Sent 927k Phishing Emails with Malicious OAuth Apps
5. Scammers Use Fake Ledger App on Microsoft Store to Steal $800k in Crypto