Researchers found hackers exploiting a recently patched security vulnerability in Microsoft Windows to deploy an open-source information stealer known as Phemedrone Stealer.
According to Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun, “Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord. It also takes screenshots and gathers system information regarding hardware, location, and operating system details. The stolen data then goes to the attackers via Telegram or their command-and-control (C&C) server.”
The attacks exploit CVE-2023-36025, a security bypass vulnerability in Windows SmartScreen with a CVSS score of 8.8. Hackers exploit the flaw by tricking a user into clicking on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file.
Microsoft Address Flaw
Microsoft addressed the vulnerability as part of its November 2023 Patch Tuesday update.
The infection process involves threat actors hosting malicious Internet Shortcut files on platforms like Discord or cloud services such as FileTransfer.io. They disguise the as link using URL shorteners like Short URL.
Execution of the malicious URL file enables it to connect to an actor-controlled server and execute a control panel (.CPL) file in a way that bypasses Windows Defender SmartScreen, taking advantage of CVE-2023-36025.
“When users execute the malicious .CPL file through the Windows Control Panel process binary, it in turn calls rundll32.exe to execute the DLL,” the researchers explained. “This malicious DLL acts as a loader that then calls on Windows PowerShell to download and execute the next stage of the attack, hosted on GitHub.”
The subsequent payload is a PowerShell loader (“DATA3.txt”) that serves as a launchpad for Donut, an open-source shellcode loader that decrypts and executes Phemedrone Stealer.
Who Maintains Phemedrone Stealer?
Developers on GitHub and Telegram actively maintain Phemedrone Stealer, enabling the theft of sensitive information from compromised systems.
This development underscores the adaptability of threat actors who swiftly adjust their attack tactics to capitalize on newly disclosed vulnerabilities, despite the vulnerabilities having been patched. The researchers note that despite the patch for CVE-2023-36025, threat actors continue to find ways to exploit it, evading Windows Defender SmartScreen protections and infecting users with various malware types, including ransomware and stealers like Phemedrone Stealer.
