Phemedrone Stealer spreads via Windows SmartScreen flaw

February 16, 2024
Phemedrone Stealer Windows SmartScreen Security Flaw Vulnerability

Threat actors have an ongoing cybercriminal operation that launched the Phemedrone Stealer by exploiting the now-patched security bypass vulnerability, tracked by researchers as CVE-2023-36035, in Windows SmartScreen.

Based on reports, the attackers used this bug to unleash a new strain of malware known as the Phemedrone Stealer to target crypto wallets and messaging apps such as Telegram, Steam, and Discord.

The infection process starts with the assailants strategically placing malicious Internet Shortcut files on popular platforms like Discord or cloud services like FileTransfer.io. Next, the shortcuts deceive users into clicking these deceptive links, initiating the download of a control panel file (.cpl) for the Phemedrone Stealer.

 

The Phemedrone Stealer is a sophisticated malware that could bypass security solutions.

 

According to investigations, the Phemedrone Stealer leverages a multi-stage infection chain that utilises sophisticated defence evasion tactics such as DLL sideloading and dynamic API resolving.

These tactics allow the malware to establish persistence and execute its payload seamlessly. Once activated, the Phemedrone Stealer could target web browsers, cryptocurrency wallets, and messaging apps to steal sensitive data.

However, this malware’s unique aspect is its data exfiltration method. The malware transmits the stolen information to the attackers via a conventional C2 server and the popular messaging platform Telegram. Still, its operators could maintain this open-source stealer on both GitHub and Telegram. This feature shows the collaborative and persistent nature of cybercriminal activity.

Furthermore, this incident emphasises the dynamic and complex nature of cyber threats, displaying the adaptability of cybercriminals in upgrading their methods. The seamless incorporation of new exploits, such as the one targeting Windows SmartScreen, into malware attack strategies demonstrates the constant evolution of the threat landscape.

Everyone should not disregard the importance of maintaining up-to-date software as cyber threats evolve. Therefore, users and organisations must regularly update their systems, educate employees about safe online practices, and implement comprehensive security solutions.

The ongoing battle against cybercriminals requires a proactive and collaborative approach to remain ahead of the evolving tactics employed by malicious actors. Hence, the exploitation of CVE-2023-36035 should remind us of the relentless cybersecurity challenges in the cybercriminal landscape.

About the author

Leave a Reply