Cyber security experts have discovered the active exploitation of CVE-2023-36025, which also led to the spread of a new malware trunk of malware called Phemedrone stealer.
This malware focuses explicitly on web browsers and collects data from cryptocurrency portfolios and messaging applications such as Telegram, Steam and Discord.
In addition, Phemedrone collects system information, including hardware data and location, whereby the stolen data is sent to the attackers via Telegram or their Command-and-Control (C2) server.
The vulnerability in question influences Microsoft Windows Defender Smartscreen, as a result of insufficient controls on the internet -Snelkkopeling (.url) files.
Threat actors use this Maas in the noise by making .url files that download and execute malignant scripts, whereby Windows Defender Smartscreen bypasses warnings.
Microsoft tackled this vulnerability on November 14, 2023. Nevertheless, the exploitation in the wild has encouraged the cyber security and infrastructure protection agency (CISA) to include it on the same day in the well -known operating dulnerabilities (KEV) list.
There are indications that since the discovery, various malware campaigns, including those who distribute the Payload of the Phemedrone stealer, have included this vulnerability in their attack chains. The attack vector mainly includes the hosting of malignant .url files on cloud services such as Discord or Filetransfer.io, where attackers use URL deficiencers to hide these files.
As soon as the malignant .url file that is used by CVE-2023-36025 is performed, the malware uses defense discharge techniques, such as DLL Sideloading and Dynamic API solving, to hide its presence. The malware achieves perseverance by making planned tasks and uses a encrypted second phase charger.
Read more about CVE-2023-36025 Exploitation: Battleroyal Cluster Signals Darkgate Surge
Second phase extraction and exfiltration
The second phase of Phemedrone Stealer includes an open-source shell code called Donut, so that various file types are performed in the memory. The malware is dynamically focused on a wide range of applications and services. Subsequently, the sensitive information, including references, from browsers, crypto portfolios, disagreement, filezilla, steam and more.
The malware also uses an extensive data output process, whereby the harvested data is compressed and send via the Telegram API. It ensures data integrity by validating the API telegram and sends a detailed system information report to the attackers.
Despite the fact that Microsoft has issued a patch for CVE-2023-36025, Trend Micro said that threat actors continue to use this vulnerability, which emphasizes the need for organizations to immediately update their Windows installations.
“Organizations must ensure that Microsoft Windows installations are updated to prevent them from being exposed to the Microsoft Windows Defender Smartscreen bypass,” reads the advice.
“Public proof-of-concept exploitcode exists on the web and increases the risk for organizations that have not yet been updated to the latest patched version.”