Cybersecurity experts have recently discovered the exploitation of a critical vulnerability, CVE-2023-36025, leading to the emergence of a new strain of malware known as Phemedrone Stealer. This malicious software specifically targets web browsers and collects sensitive data from cryptocurrency wallets and messaging applications like Telegram, Steam, and Discord. Moreover, Phemedrone Stealer gathers system information, including hardware details and location, sending the stolen data to the attackers through Telegram or their command-and-control (C2) server.
The vulnerability affecting Microsoft Windows Defender SmartScreen arises from insufficient checks on Internet Shortcut (.url) files. Threat actors take advantage of this loophole by creating .url files that download and execute malicious scripts, bypassing Windows Defender SmartScreen warnings. Although Microsoft addressed this vulnerability on November 14, 2023, its exploitation in the wild prompted the Cybersecurity and Infrastructure Security Agency (CISA) to include it in the Known Exploited Vulnerabilities (KEV) list on the same day.
Since its discovery, evidence suggests that various malware campaigns, including those distributing the Phemedrone Stealer payload, have incorporated this vulnerability into their attack chains. Attackers typically host malicious .url files on cloud services like Discord or FileTransfer.io, using URL shorteners to mask these files.
When the malicious .url file exploiting CVE-2023-36025 is executed, the malware employs defense evasion techniques such as DLL sideloading and dynamic API resolving to conceal its presence. The malware establishes persistence by creating scheduled tasks and utilizes an encrypted second-stage loader.
Phemedrone Stealer’s second stage involves the use of an open-source shellcode called Donut, enabling the execution of various file types in memory. The malware dynamically targets a wide range of applications and services to extract sensitive information, including credentials, from browsers, crypto wallets, Discord, FileZilla, Steam, and more.
Furthermore, the malware employs a sophisticated data exfiltration process, compressing and sending the harvested data through the Telegram API. It ensures data integrity by validating the Telegram API token and transmits a detailed system information report to the attackers.
Despite Microsoft releasing a patch for CVE-2023-36025, threat actors continue to exploit this vulnerability, underscoring the importance for organizations to promptly update their Windows installations. Trend Micro emphasizes the critical need for organizations to update their Microsoft Windows installations to prevent exposure to the Microsoft Windows Defender SmartScreen Bypass. Public proof-of-concept exploit code is available on the web, increasing the risk for organizations that have not yet updated to the latest patched version.
Stay informed and vigilant in protecting your systems against these evolving cyber threats.