November 22, 2023 at 02:45PM
A proof of concept exploit has been developed for a critical zero-day vulnerability in Windows SmartScreen technology that allows attackers to bypass Windows Defender SmartScreen checks without triggering alerts. The exploit requires a user to click on a maliciously crafted Internet shortcut or link. The vulnerability affects Windows 10, Windows 11, and Windows Server. A financially motivated APT group known as TA544 has been observed exploiting the vulnerability in campaigns involving a remote access Trojan called Remcos. This is the third zero-day bug in SmartScreen that Microsoft has disclosed this year.
Key Takeaways:
– A proof of concept (PoC) exploit has been released for a critical zero-day vulnerability in Windows SmartScreen technology.
– Microsoft released a patch for the vulnerability (CVE-2023-36025) in its November 2023 security update.
– The vulnerability allows attackers to bypass Windows Defender SmartScreen checks and execute malicious code through a crafted Internet shortcut (.URL) or link.
– The exploitation of CVE-2023-36025 can lead to successful phishing attacks, malware distribution, and other cybersecurity threats.
– A financially motivated advanced persistent threat (APT) group known as TA544 has been observed abusing the vulnerability in their campaigns.
– TA544 has been distributing malware tools like the Ursnif banking Trojan and WikiLoader.
– In a recent campaign, TA544 used the Remcos remote access Trojan and established a unique web page with links to the malicious file.
– CVE-2023-36025 allows attackers to automatically mount a Virtual Hard Disk (VHD) by opening the .URL file.
– This vulnerability is the third zero-day bug in SmartScreen that Microsoft has disclosed this year.
– Google researchers previously discovered a SmartScreen vulnerability used to drop Magniber ransomware.
– Microsoft has released patches for the previous SmartScreen vulnerabilities (CVE-2023-24880, CVE-2023-32049).