January 15, 2024 at 07:48AM
A Windows SmartScreen vulnerability (CVE-2023-36025) is being actively exploited to deliver Phemedrone Stealer malware, as reported by Trend Micro. Despite patches being released, threat actors continue to exploit the bug to bypass Windows Defender SmartScreen protection, leading to infections. The malware, written in C#, can steal a wide range of data and is actively maintained on GitHub and Telegram.
From the meeting notes, the key takeaways are:
1. A recent vulnerability in Windows SmartScreen, tracked as CVE-2023-36025 with a CVSS score of 8.8, has been actively exploited in attacks, according to cybersecurity firm Trend Micro.
2. Microsoft released patches for this security defect on November 14, 2023, and the US cybersecurity agency CISA added it to its Known Exploited Vulnerabilities catalog.
3. The vulnerability allows an attacker to bypass Windows Defender SmartScreen checks and prompts by sending a crafted internet shortcut file (URL) to a user and convincing them to click on it.
4. Threat actors have been observed demonstrating exploitation of this bug, and various proof-of-concept (PoC) exploits have been released, with threat actors incorporating exploits for this vulnerability in their attack chains.
5. Trend Micro reports that a malicious campaign is actively exploiting CVE-2023-36025 to deliver Phemedrone Stealer, a previously unknown malware strain capable of harvesting a range of information from infected systems.
6. Phemedrone Stealer is written in C#, available as open source, actively maintained on GitHub and Telegram, and is capable of stealing data from web browsers, cryptocurrency wallets, messaging applications, taking screenshots, and gathering system information, which is then exfiltrated via Telegram or to the attackers’ command-and-control (C&C) server.
7. The malicious URL files exploiting CVE-2023-36025 are hosted on Discord or other cloud services. They download and execute a control panel item (.cpl) file that calls rundll32.exe to execute a malicious DLL acting as a loader for the next stage, which is hosted on GitHub.
8. Despite the patch, threat actors continue to exploit CVE-2023-36025 to infect users with various malware types, including ransomware and stealers like Phemedrone Stealer.
These are the main points from the provided meeting notes. Let me know if there’s anything specific you would like to focus on or if there are any additional details you need.