Pierluigi Paganini January 15, 2024

Threat actors exploit a recent Windows SmartScreen bypass flaw CVE-2023-36025 to deliver the Phemedrone info stealer.

Trend Micro researchers uncovered a malware campaign exploiting the vulnerability CVE-2023-36025 (CVSS score 8.8) to deploy a previously unknown strain of the malware dubbed Phemedrone Stealer.

The vulnerability was addressed by Microsoft with the release of Patch Tuesday security updates for November 2023. The vulnerability is a Windows SmartScreen Security Feature Bypass issue.

An attacker can exploit this flaw to bypass Windows Defender SmartScreen checks and other prompts. This flaw can be exploited in phishing campaigns to evade user prompts that warn recipients about opening a malicious document.

After public disclosure of the vulnerability, multiple demos and proof-of-concept codes have been published on social media. Experts noticed that a growing number of malware campaigns have included the exploit for this flaw into their attack chains. 

Phemedrone Stealer allows operators to steal sensitive data from web browsers and cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord. The malware supports multuple capabilities, including taking screenshots and gathering system information regarding hardware, location, and operating system details.

The stolen data is exfiltrated via Telegram or their C2 server. The malware is written in C#, its authors actively maintain the malicious code on GitHub and Telegram. 

“Once the malicious .url file exploiting CVE-2023-36025 is executed, it connects to an attacker-controlled server to download and execute a control panel item (.cpl) file. Microsoft Windows Defender SmartScreen should warn users with a security prompt before executing the .url file from an untrusted source.” reads the report published by Trend Micro. “However, the attackers craft a Windows shortcut (.url) file to evade the SmartScreen protection prompt by employing a .cpl file as part of a malicious payload delivery mechanism.”

The malicious URL files exploiting CVE-2023-36025 reference Discord or other cloud services. Upon executing the files, a control panel item (.cpl) file is downloaded and executed. Then it calls rundll32.exe to execute a malicious DLL acting as a loader for the next stage, a malicious script hosted on GitHub.

The next stage is an obfuscated loader that fetches a ZIP archive from the same GitHub repository to a hidden directory created using the Windows attribute utility binary (attrib.exe).   

The archive contains the files to load the next stage and maintain persistence. The next stage loads the Phemedrone Stealer payload.

“Despite having been patched, threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect users with a plethora of malware types, including ransomware and stealers like Phemedrone Stealer.” concludes the report.  “Malware strains such as Phemedrone Stealer highlight the evolving nature of sophisticated malware threats and malicious actors’ ability to quickly enhance their infection chains by adding new exploits for critical vulnerabilities in everyday software.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Phemedrone)