Trend Micro discovered a new attack campaign exploiting the now-patched security bypass bug (CVE-2023-36035) in Windows SmartScreen to spread a new strain of the Phemedrone Stealer. The malware targets cryptocurrency wallets and messaging apps, including Telegram, Steam, and Discord.
Diving into details
The Phemedrone Stealer infection begins with the attacker placing a set of malicious Internet Shortcut files on platforms like Discord or cloud services like FileTransfer.io.
By tricking users into clicking malicious links, the attackers facilitated the download of a control panel file (.cpl), which then initiated the Phemedrone Stealer.
The malware targets web browsers, cryptocurrency wallets, and messaging apps to steal sensitive data and is delivered through malicious Internet Shortcut files.
The stolen data is then sent to the attackers via Telegram or their C2 server. This open-source stealer is written in C# and is actively maintained on GitHub and Telegram.
The malware uses a multi-stage infection chain with defense evasion techniques, such as DLL sideloading and dynamic API resolving, to achieve persistence and execute its payload.
Why this matters
Malware like Phemedrone Stealer exemplifies the dynamic and complex nature of cyber threats, demonstrating the agility of cybercriminals in refining their methods by incorporating new exploits for critical flaws in commonly used software.
This situation sheds light on the interplay between open-source malware and publicly available proof-of-concept exploits, indicating a significant overlap in the time frame from the release of such proofs to their assimilation into malware attack strategies.
The bottom line
The exploitation of CVE-2023-36025 for deploying the Phemedrone Stealer is a stark reminder of the ongoing cybersecurity battle. To mitigate such threats, it's crucial for users and organizations to regularly update their software, educate employees about safe online practices, and adopt comprehensive security solutions.