Skip links

Why we update… Data-thief malware exploits SmartScreen on unpatched Windows PCs

Criminals are exploiting a Windows Defender SmartScreen bypass vulnerability to infect PCs with Phemedrone Stealer, a malware strain that scans machines for sensitive information – passwords, cookies, authentication tokens, you name it – to grab and leak.

The malware abuses CVE-2023-36025, which Microsoft patched in November. Specifically, the flaw allows Phemedrone and other malicious software to sidestep protections in Windows that are supposed to help users avoid running hostile code. When Redmond issued a fix, it warned the bug had already been found by miscreants and exploited in the wild. 

Shortly after Microsoft plugged the hole, the patch was reverse-engineered to produce a proof-of-concept exploit. Now that everyone knows how to attack systems using this vulnerability, update your Windows machines to close off this avenue if you haven’t already.

In research published today, Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun detail the Phemedrone info-stealer, including how it works, how it uses CVE-2023-36025 to infect a PC, and how to detect its presence on a network.

We’re told the malware targets a ton of browsers and applications on victims’ PCs, lifting sensitive info from files of interest and sending the data to fraudsters to exploit. These targets include Chromium-based browsers as well as LastPass, KeePass, NordPass, Google Authenticator, Duo Mobile, and Microsoft Authenticator. Phemedrone looks for things like passwords, cookies, and autofill information to exfiltrate; once this data is in the hands of the malware’s operators, it can be used to log into the victims’ online accounts and cause all sorts of damage and strife.

The code also steals files and other user data from several cryptocurrency wallets and messaging apps including Discord and Telegram, and login details for the Steam gaming platform.

In addition it gathers up a bunch of telemetry, including hardware specs, geolocation data, and operating system information, and takes screenshots, sending all of this off to the attackers via Telegram or to a remote command-and-control server.

Miscreants infect victims’ machines with Phemedrone by tricking marks into downloading and opening a malicious .url file from, say, a website. That file exploits CVE-2023-36025 to evade the Windows SmartScreen as it downloads and opens a .cpl file, which is a Windows control panel item. The user doesn’t get a chance to be warned by SmartScreen that the .url file is from an untrusted source and what they are doing is dangerous and should be blocked. Instead, as a result of the exploited bug, their PC gets infected. As Team Trend put it:

It appears the .cpl fetched by the .url is really a .dll, and this begins executing when the control panel item is opened by the Windows Control Panel. This .dll acts as a loader that calls on PowerShell to execute the next stage of the attack, which is fetched from GitHub.

That stage is another PowerShell loader named DATA3.txt, which downloads and opens a .zip also hosted on GitHub. The archive contains three parts:

  • WerFaultSecure.exe, which is a legitimate Windows Fault Reporting binary. 
  • Wer.dll, a malicious binary that is sideloaded when WerFaultSecure.exe is executed. 
  • Secure.pdf, an RC4-encrypted second stage loader that ultimately brings the Phemedrone Stealer binary onto the PC to run. 

Throughout the process, the malware uses several obfuscation techniques to mask its contents and evade detection. The Phemedrone Stealer, when executed, decrypts the details needed to access the Telegram API, and begin exfiltration of the victim’s information.

So, again, if you didn’t do so in November, it’s high time to update your Windows installations or risk becoming the next victim of these data thieves. ®