Threat actors have been observed taking advantage of a now-patched vulnerability in the Microsoft Windows operating system to deploy an open source information theft tool called Phemidron is a thief.
“Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps like Telegram, Steam, and Discord,” said Trend Micro researchers Peter Girnos, Aliakbar Zohrafi, and Simon Zuckerbraun.
“It also takes screenshots and collects system information related to hardware, location, and operating system details. The stolen data is then sent to the attackers via Telegram or their command and control (C&C) server.”
The attacks leverage CVE-2023-36025 (CVSS Score: 8.8), a security bypass vulnerability in Windows SmartScreen, which can be exploited by tricking a user into clicking on a specially crafted Internet shortcut (.URL) or hyperlink pointing to the Internet. Shortcut file.
The actively exploited flaw has been addressed by Microsoft as part of the November 2023 Patch Tuesday updates.
The infection process involves the threat actor hosting malicious Internet Shortcut files on Discord or cloud services like FileTransfer.io, while also obscuring links using URL shorteners like Short URL.
Executing the booby-trapped .URL file allows it to connect to an actor-controlled server and execute a Control Panel (.CPL) file in a way that circumvents Windows Defender SmartScreen by leveraging CVE-2023-36025.
“When the malicious .CPL file is executed by the binary process in Windows Control Panel, it in turn calls rundll32.exe to execute the DLL file,” the researchers said. “This malicious DLL file acts as a loader that then calls Windows PowerShell to download and execute the next stage of the attack, hosted on GitHub.”
The afterload is a PowerShell loader (“DATA3.txt”) that acts as a launchpad for Donut, an open source shellcode loader that decrypts and executes Phemedrone Stealer.
Phemedrone Stealer, written in C#, is actively maintained by its developers on GitHub and Telegram, making it easier to steal sensitive information from compromised systems.
This development is once again a sign that threat actors are becoming more agile and quickly adapting their attack chains to take advantage of newly disclosed vulnerabilities and inflict maximum damage.
“Despite being patched, threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protection to infect users with a wide number of types of malware, including ransomware and hijackers like Phemedrone Stealer,” the researchers said.
