Cybersecurity experts have recently discovered the exploitation of CVE-2023-36025, leading to the emergence of a new strain of malware known as Phemedrone Stealer. This malicious software specifically targets web browsers and gathers data from cryptocurrency wallets and messaging applications like Telegram, Steam, and Discord. In addition to this, Phemedrone collects system information, including hardware details and location, and sends this stolen data to the attackers through Telegram or their command-and-control (C2) server.
The vulnerability in question affects Microsoft Windows Defender SmartScreen, which arises from insufficient checks on Internet Shortcut (.url) files. Threat actors take advantage of this loophole by creating .url files that download and execute malicious scripts, bypassing Windows Defender SmartScreen warnings. Microsoft has addressed this vulnerability on November 14, 2023, but its exploitation in the wild has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to include it in the Known Exploited Vulnerabilities (KEV) list on the same day.
Various malware campaigns, including those distributing the Phemedrone Stealer payload, have incorporated this vulnerability into their attack chains since its discovery. Attackers typically host malicious .url files on cloud services like Discord or FileTransfer.io, using URL shorteners to disguise these files. Once the malicious .url file exploiting CVE-2023-36025 is executed, the malware utilizes defense evasion techniques such as DLL sideloading and dynamic API resolving to obfuscate its presence. The malware achieves persistence by creating scheduled tasks and using an encrypted second-stage loader.
Phemedrone Stealer’s second stage involves the use of an open-source shellcode called Donut, enabling the execution of various file types in memory. The malware dynamically targets a wide range of applications and services, extracting sensitive information including credentials from browsers, crypto wallets, Discord, FileZilla, Steam, and more. The malware also employs a sophisticated data exfiltration process, compressing and sending the harvested data through the Telegram API while ensuring data integrity by validating the Telegram API token and transmitting a detailed system information report to the attackers.
Despite Microsoft releasing a patch for CVE-2023-36025, threat actors continue to exploit this vulnerability, emphasizing the importance for organizations to promptly update their Windows installations. Trend Micro has advised organizations to ensure that their Microsoft Windows installations are up to date to prevent exposure to the Microsoft Windows Defender SmartScreen Bypass. With public proof-of-concept exploit code available online, the risk to organizations that have not yet updated to the latest patched version is significantly increased.