Phemedrone Malware Campaign Exploits Windows SmartScreen Bypass Vulnerability

January 15, 2024

Trend Micro researchers have discovered a malware campaign that leverages the CVE-2023-36025 vulnerability to deploy a new strain of malware called Phemedrone Stealer. This vulnerability, which has a CVSS score of 8.8, is a Windows SmartScreen Security Feature Bypass issue. It was patched by Microsoft in their November 2023 Patch Tuesday security updates.

The vulnerability allows an attacker to bypass Windows Defender SmartScreen checks and other warnings, which can be used in phishing campaigns to evade user prompts that caution against opening a malicious document. Following the public disclosure of this vulnerability, several demonstrations and proof-of-concept codes were posted on social media. A growing number of malware campaigns have since incorporated this exploit into their attack chains.

Phemedrone Stealer is capable of stealing sensitive data from web browsers, cryptocurrency wallets, and messaging apps like Telegram, Steam, and Discord. It can also take screenshots and gather system information such as hardware, location, and operating system details. The stolen data is then exfiltrated via Telegram or the malware's command and control (C2) server. The malware is written in C#, and its authors actively maintain the malicious code on GitHub and Telegram.

The malware campaign works by exploiting the CVE-2023-36025 vulnerability through a malicious .url file. When this file is executed, it connects to a server controlled by the attacker to download and execute a control panel item (.cpl) file. Normally, Windows Defender SmartScreen would warn users before executing a .url file from an untrusted source. However, the attackers have found a way to evade this protection by using a .cpl file as part of their malicious payload delivery mechanism.

The malicious .url files reference Discord or other cloud services. When these files are executed, a .cpl file is downloaded and executed, which then calls rundll32.exe to execute a malicious DLL acting as a loader for the next stage. This next stage is a malicious script hosted on GitHub. The script fetches a ZIP archive from the same GitHub repository to a hidden directory, which contains the files needed to load the next stage and maintain persistence. The final stage is the loading of the Phemedrone Stealer payload.

Despite the patch for CVE-2023-36025, threat actors continue to find ways to exploit the vulnerability and bypass Windows Defender SmartScreen protections. This has resulted in the infection of users with various types of malware, including ransomware and stealers like Phemedrone Stealer. The emergence of malware strains like Phemedrone Stealer underscores the evolving nature of sophisticated malware threats and the ability of malicious actors to quickly enhance their infection chains by exploiting critical vulnerabilities in everyday software.

Related News

• Nim-Based Malware Delivered via Phishing Campaign Using Decoy Microsoft Word Documents
• BattleRoyal Hackers Employ Multiple Tactics to Deploy DarkGate RAT
• Public Release of PoC Exploit for Critical Windows Defender Bypass
• Windows Zero-Day CVE-2023-36025 Vulnerability: PoC Exploit Published by Researchers
• Microsoft's November 2023 Patch Tuesday Addresses 58 Flaws Including 5 Zero-Days

Latest News

• GitLab Issues Urgent Security Updates to Address Critical Vulnerabilities
• Juniper Networks Addresses Critical RCE Vulnerability in Firewalls and Switches
• Critical Vulnerability in Apache OFBiz: PoC Exploit Code Developed
• CISA Warns of Active Exploitation of Critical Microsoft SharePoint Vulnerability
• Microsoft Releases PowerShell Script to Update WinRE and Patch BitLocker Vulnerability