Researchers at Trend Micro have identified a novel malware strain, Phemedrone Stealer, which exploits a vulnerability in Windows Defender SmartScreen previously addressed by Microsoft. The CVE-2023-36025 vulnerability, despite having been patched on November 14, is being leveraged by cybercriminals using Phemedrone Stealer to acquire sensitive information from unsuspecting users.
Infection Mechanism
The malware, which targets a variety of software products including browsers, file managers, and communication platforms, infects systems through specifically crafted .url files. These files, once opened, download and execute malicious scripts that successfully bypass the protective measures of Windows Defender SmartScreen. This enables the malware to operate stealthily without triggering any security warnings which usually alert users to potential threats.
Once the malware circumvents detection mechanisms, it proceeds to download its payload and secures a permanent foothold within the target system. From there, Phemedrone Stealer begins its primary operation: an extensive search and data exfiltration process involving a multitude of specific file types and sensitive information including system details and screenshots.
Data Exfiltration Tactics
The culprits behind Phemedrone Stealer employ Telegram’s API to transfer collected data. The stolen information, which encompasses comprehensive system details such as geolocation and other personal data, is meticulously gathered from operating systems like Windows 10 or Windows 11. The first piece of data sent is system information followed by a ZIP file containing all the plundered data, which is meticulously compressed for convenience.
Keeping systems updated with the latest security patches is essential to ward off attacks from malware like Phemedrone Stealer. With Microsoft’s prompt response to the CVE-2023-36025 vulnerability, users who apply these updates in a timely manner substantially reduce their risk of compromise from this specific vector. However, vigilance and good cybersecurity practices remain paramount as threat actors continually seek new ways to exploit even the most minor weaknesses.
