Monday , May 27 2024
Screen

TrendMicro Research
CVE-2023-36025, Phemedrone Stealer exploit windows SmartScreen flaw

Cybersecurity researchers at Trend Micro discovered an exploitation of CVE-2023-36025 leading to the spread of a new type of malware called Phemedrone Stealer.

Phemedrone Stealer is a malware that targets web browsers, cryptocurrency wallets, and messaging apps like Telegram, Steam, and Discord. It not only steals data, but also takes screenshots and collects important system information. The stolen data is sent to the attackers through Telegram or their command-and-control server. What makes it different is that it is an open-source malware written in C#. It is actively maintained on GitHub and Telegram.

Researcher claimed: Biometrics of Indian Forces Exposed

Jeremiah Fowler, a security researcher, claimed to discover a major vulnerability in India's data security. He found an unprotected database...
Read More
Researcher claimed: Biometrics of Indian Forces Exposed

NSA Releases Guidance on Zero Trust Maturity

The NSA released an information sheet called "Advancing Zero Trust Maturity Throughout the Application and Workload Pillar." This sheet will...
Read More
NSA Releases Guidance on Zero Trust Maturity

Data protection is sovereignty: Mohammad A. Arafat
INFOCOM Dhaka ends promoting cyber resiliency

The two day long 7th edition of INFOCOM, India's biggest business, technology, and leadership event, themed "Sustainable Disruption", concluded today...
Read More
Data protection is sovereignty: Mohammad A. Arafat  INFOCOM Dhaka ends promoting cyber resiliency

Phoenix Summit 2024
Two days phoenix summit ended successfully at Dhaka

TheTeamPhoenix, a non-profit organization, successfully hosted Phoenix Summit 2024, the largest cyber security event in Bangladesh, from May 23-24. This...
Read More
Phoenix Summit 2024  Two days phoenix summit ended successfully at Dhaka

CISA Added Apache Flink CVE-2020-17519 Vulnerability to KEV

CISA warns Apache Flink users about a critical vulnerability. Cybercriminals are exploiting this flaw to compromise systems. Apache Flink is...
Read More
CISA Added Apache Flink CVE-2020-17519 Vulnerability to KEV

Cisco released software updates for CVE 2024-20360

Cisco, a global network solutions leader, has reported a security issue with its Firepower Management Center (FMC) software. This vulnerability,...
Read More
Cisco released software updates for CVE 2024-20360

Ivanti Patches Critical RCE Flaws in Endpoint Manager

Ivanti on Tuesday declare to patch for several products, including fixes for critical vulnerabilities in Endpoint Manager (EPM). Ivanti resolved...
Read More
Ivanti Patches Critical RCE Flaws in Endpoint Manager

German police warn of cyberattacks via Office 365

ompanies in Germany are facing a new wave of cyberattacks. The State Criminal Police Office of North Rhine-Westphalia has issued...
Read More
German police warn of cyberattacks via Office 365

Hacktivists group target Philippines government ransomware attack

SentinelOne researchers found that the Ikaruz Red Team is targeting the Philippines government using different ransomware builders like LockBit, Vice...
Read More
Hacktivists group target Philippines government ransomware attack

CISA ALERT
CISA Warns Exploiting NextGen Healthcare Mirth Connect Flaw

The US cybersecurity agency, CISA, added a flaw in NextGen Healthcare's Mirth Connect product to its catalog of Known Exploited...
Read More
CISA ALERT  CISA Warns Exploiting NextGen Healthcare Mirth Connect Flaw

Phemedrone Stealer became successful by using a vulnerability in Microsoft Windows Defender SmartScreen called CVE-2023-36025. This vulnerability allows threat actors to create malicious .url files that can avoid detection by Windows Defender SmartScreen. Although Microsoft fixed this issue on November 14, 2023, it was added to the list of Known Exploited Vulnerabilities by the Cybersecurity and Infrastructure Security Agency (CISA) due to its active exploitation.

Phemedrone Stealer infects users by hosting malicious Internet Shortcut files on platforms like Discord or cloud services such as FileTransfer.io. These files are disguised using URL shorteners, which tricks unsuspecting users. When a user opens the malicious .url file, the exploitation of CVE-2023-36025 begins.

Source: Trend Micro

When the harmful .url file is opened, Phemedrone Stealer connects to a server controlled by an attacker to download and run a .cpl file. The attackers use .cpl files to bypass Windows Defender SmartScreen’s security checks. They misuse the Windows Control Panel process to run these .cpl files, which are actually DLL files.

After executing the .cpl file, rundll32.exe is called to run the DLL. This DLL is malicious and serves as a loader, using Windows PowerShell to download and run the next stage of the attack from GitHub. The next stage is another PowerShell loader called DATA3.txt.

The file DATA3.txt uses techniques to hide its purpose, making it hard to understand with static analysis alone. Researchers use both static and dynamic analysis to understand the GitHub-hosted loader. They find a ZIP file on the same GitHub repository containing three files: WerFaultSecure.exe (legitimate), Wer.dll (malicious), and Secure.pdf (which is a second-stage loader encrypted with RC4).

Wer.dll is important for maintaining access by scheduling tasks. The loader tricks the system to load a harmful file instead of the real one, using dynamic API resolving and the CRC-32 hashing algorithm. It also uses XOR-based algorithms for string decryption, making it more complex.

Phemedrone Stealer is well-equipped to harvest a wide array of sensitive information, including browser data, cryptocurrency wallet details, Discord tokens, and much more. It employs a custom method to dynamically locate all subclasses of IService, efficiently processing them. Following data collection, it compresses and exfiltrates the information through network traffic via the Telegram API.

Exploiting CVE-2023-36025 is still a serious threat, as cybercriminals are using it to spread malware like Phemedrone Stealer. This case shows how open-source malware and public proof-of-concept exploits are connected. To reduce the risk, organizations should quickly update their Microsoft Windows systems and be alert to new threats in cybersecurity.

Check Also

CISA

CISA ALERT
CISA Warns Exploiting NextGen Healthcare Mirth Connect Flaw

The US cybersecurity agency, CISA, added a flaw in NextGen Healthcare’s Mirth Connect product to …