Tend Micro researchers, through a report, wanted to warn Windows users of a new danger. We are talking about Phemedrone Stealera malicious agent capable of stealing sensitive data from compromised devices.
What makes this unique infostealer compared to the many similar malware it is the exploitation of a specific vulnerability, linked to Windows Defender SmartScreen. The exploit is known to industry insiders as CVE-2023-36025 and presents itself with a high danger index.
To exploit the vulnerability in question, cybercriminals create a file with the extension .URL) or a malicious hyperlink. Activating files or links involves downloading and executing a file .cplresulting in the start of a payload DLL harmful through rundll32.exe.
This, in turn recovers a file ZIP da un repository GitHub containing the loader of the second phase, apparently a PDF which turns out to be a legitimate Windows binary (WerFaultSecure.exe) and an additional DLL (who.dll), used to ensure malware persistence.
In fact, a simple click is enough to start Phedrone and cause real disasters on your Windows PC.
Phemedrone: Windows computers are protected with the November patch
As reported by Trend Micro, Phedrone’s objectives include:
- Browser basati su Chromium;
- Various password managers;
- Microsoft Authenticator e Google Authenticator;
- Crypto wallets (including Atom, Armory, Electrum and Exodus);
- Discord e Telegram;
- App for FTP management come FileZilla;
- Steam.
Once the data has been identified, the infostealer acts by sending it via Telegram or directly to a command and control server managed by the cybercriminals.
In reality, the security flaw affecting SmartScreen is not unknown: in fact, it was corrected with the Patch Tuesday mid-November. Despite this, hackers are scouring the web looking for those who have not yet applied the update. Precisely for this reason, security experts strongly recommend update Windows with the corrective patch as it is the only concrete way to avoid infection.
As stated by experts, Phemedrone is not the only malware that targets the SmartScreen exploit, as there are some as well ransowmare who took this opportunity to find a new distribution channel.