Windows SmartScreen flaw exploited to drop Phemedrone malware

Windows SmartScreen flaw exploited to drop Phemedrone malware

January 15, 2024 at 01:34PM

Phemedrone malware exploits Microsoft Defender SmartScreen vulnerability (CVE-2023-36025) to bypass security prompts in Windows. It steals data from web browsers, cryptocurrency wallets, and apps like Discord and Steam. The flaw was fixed in November 2023, but unpatched systems remain at risk. Trend Micro researchers have identified the specific apps and data targeted by Phemedrone.

Based on the meeting notes, the main takeaways are:

1. A new Phemedrone information-stealing malware campaign is exploiting a Microsoft Defender SmartScreen vulnerability (CVE-2023-36025) to bypass Windows security prompts when opening URL files.

2. Phemedrone is an open-source info-stealer malware that targets data stored in web browsers, cryptocurrency wallets, and software like Discord, Steam, and Telegram. The stolen data is then used for malicious activities or sold to other threat actors.

3. The CVE-2023-36025 vulnerability was fixed during the November 2023 Patch Tuesday, but proof-of-concept exploits were published shortly after, elevating the risk for unpatched Windows systems.

4. The attackers host malicious URL files on trustworthy cloud services and use shortener services to disguise them. When victims open these files, the SmartScreen prompt is bypassed, and a malicious DLL payload is executed.

5. Once launched on a compromised system, Phemedrone steals data from various applications and platforms, including browsers, cryptocurrency wallets, Discord, file transfer applications, and messaging platforms like Telegram.

6. Trend Micro has published a complete list of indicators of compromise (IoCs) for the Phemedrone campaign.

These clear takeaways provide a concise summary of the key points discussed in the meeting notes.

Full Article