Phemedrone Malware Campaign Exploits Windows SmartScreen Bypass Vulnerability

January 15, 2024

Trend Micro researchers have discovered a malware campaign that leverages the CVE-2023-36025 vulnerability to deploy a new strain of malware called Phemedrone Stealer. This vulnerability, which has a CVSS score of 8.8, is a Windows SmartScreen Security Feature Bypass issue. It was patched by Microsoft in their November 2023 Patch Tuesday security updates.

The vulnerability allows an attacker to bypass Windows Defender SmartScreen checks and other warnings, which can be used in phishing campaigns to evade user prompts that caution against opening a malicious document. Following the public disclosure of this vulnerability, several demonstrations and proof-of-concept codes were posted on social media. A growing number of malware campaigns have since incorporated this exploit into their attack chains.

Phemedrone Stealer is capable of stealing sensitive data from web browsers, cryptocurrency wallets, and messaging apps like Telegram, Steam, and Discord. It can also take screenshots and gather system information such as hardware, location, and operating system details. The stolen data is then exfiltrated via Telegram or the malware's command and control (C2) server. The malware is written in C#, and its authors actively maintain the malicious code on GitHub and Telegram.

The malware campaign works by exploiting the CVE-2023-36025 vulnerability through a malicious .url file. When this file is executed, it connects to a server controlled by the attacker to download and execute a control panel item (.cpl) file. Normally, Windows Defender SmartScreen would warn users before executing a .url file from an untrusted source. However, the attackers have found a way to evade this protection by using a .cpl file as part of their malicious payload delivery mechanism.

The malicious .url files reference Discord or other cloud services. When these files are executed, a .cpl file is downloaded and executed, which then calls rundll32.exe to execute a malicious DLL acting as a loader for the next stage. This next stage is a malicious script hosted on GitHub. The script fetches a ZIP archive from the same GitHub repository to a hidden directory, which contains the files needed to load the next stage and maintain persistence. The final stage is the loading of the Phemedrone Stealer payload.

Despite the patch for CVE-2023-36025, threat actors continue to find ways to exploit the vulnerability and bypass Windows Defender SmartScreen protections. This has resulted in the infection of users with various types of malware, including ransomware and stealers like Phemedrone Stealer. The emergence of malware strains like Phemedrone Stealer underscores the evolving nature of sophisticated malware threats and the ability of malicious actors to quickly enhance their infection chains by exploiting critical vulnerabilities in everyday software.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.