Threat actors have been noticed leveraging a now-patched security flaw in Microsoft Windows to deploy an open-supply information and facts stealer named Phemedrone Stealer.
“Phemedrone targets web browsers and details from cryptocurrency wallets and messaging applications such as Telegram, Steam, and Discord,” Trend Micro scientists Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun reported.
“It also normally takes screenshots and gathers method information and facts pertaining to hardware, locale, and functioning program aspects. The stolen details is then despatched to the attackers via Telegram or their command-and-control (C&C) server.”
The attacks leverage CVE-2023-36025 (CVSS score: 8.8), a security bypass vulnerability in Windows SmartScreen, that could be exploited by tricking a person into clicking on a specifically crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file.
The actively-exploited shortcoming was dealt with by Microsoft as aspect of its November 2023 Patch Tuesday updates.
The infection course of action consists of the risk actor hosting malicious Internet Shortcut files on Discord or cloud services like FileTransfer.io, with the back links also masked using URL shorteners these types of as Small URL.
The execution of the booby-trapped .URL file enables it to hook up to an actor-controlled server and execute a control panel (.CPL) file in a manner that circumvents Windows Defender SmartScreen by having gain of CVE-2023-36025.
“When the malicious .CPL file is executed by the Windows Manage Panel course of action binary, it in transform phone calls rundll32.exe to execute the DLL,” the researchers stated. “This destructive DLL functions as a loader that then phone calls on Windows PowerShell to down load and execute the up coming phase of the attack, hosted on GitHub.”
The comply with-on payload is a PowerShell loader (“Knowledge3.txt”) that functions as a launchpad for Donut, an open-source shellcode loader that decrypts and executes Phemedrone Stealer.
Prepared in C#, Phemedrone Stealer is actively maintained by its builders on GitHub and Telegram, facilitating the theft of sensitive information from compromised programs.
The advancement is at the time all over again a sign that menace actors are having more and more adaptable and quickly adapting their attack chains to capitalize on newly disclosed exploits and inflict optimum damage.
“Irrespective of obtaining been patched, danger actors carry on to uncover ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect end users with a myriad of malware sorts, together with ransomware and stealers like Phemedrone Stealer,” the scientists mentioned.
Discovered this short article exciting? Observe us on Twitter and LinkedIn to read a lot more exclusive written content we publish.
Some parts of this article are sourced from:
thehackernews.com