Phemedrone Stealer Targets Windows Defender Flaw Despite Patch

Written by

Cybersecurity experts have uncovered the active exploitation of CVE-2023-36025, which also led to the dissemination of a new strain of malware called Phemedrone Stealer. 

This malware explicitly targets web browsers and collects data from cryptocurrency wallets and messaging applications like Telegram, Steam and Discord. 

Additionally, Phemedrone gathers system information, including hardware details and location, sending the stolen data to the attackers through Telegram or their command-and-control (C2) server.

The vulnerability in question impacts Microsoft Windows Defender SmartScreen, resulting from inadequate checks on Internet Shortcut (.url) files. 

Threat actors leverage this loophole by creating .url files that download and execute malicious scripts, bypassing Windows Defender SmartScreen warnings. 

Microsoft addressed this vulnerability on November 14 2023. Still, its exploitation in the wild prompted the Cybersecurity and Infrastructure Security Agency (CISA) to include it in the Known Exploited Vulnerabilities (KEV) list on the same day.

Evidence suggests that since its discovery, various malware campaigns, including those distributing the Phemedrone Stealer payload, have incorporated this vulnerability into their attack chains. The attack vector primarily involves hosting malicious .url files on cloud services like Discord or, with attackers using URL shorteners to disguise these files.

Once the malicious .url file exploiting CVE-2023-36025 is executed, the malware employs defense evasion techniques, such as DLL sideloading and dynamic API resolving, to obfuscate its presence. The malware achieves persistence by creating scheduled tasks and utilizes an encrypted second-stage loader.

Read more on CVE-2023-36025 exploitation: BattleRoyal Cluster Signals DarkGate Surge

Second Stage Extraction and Exfiltration

Phemedrone Stealer’s second stage involves an open-source shellcode called Donut, enabling the execution of various file types in memory. The malware dynamically targets a broad range of applications and services. It then extracts sensitive information, including credentials, from browsers, crypto wallets, Discord, FileZilla, Steam and more.

The malware also employs an elaborate data exfiltration process, compressing and sending the harvested data through the Telegram API. It ensures data integrity by validating the Telegram API token and transmits a detailed system information report to the attackers.

Despite Microsoft issuing a patch for CVE-2023-36025, Trend Micro said threat actors persist in exploiting this vulnerability, emphasizing the need for organizations to update their Windows installations promptly.

“Organizations must make sure to update Microsoft Windows installations to prevent being exposed to the Microsoft Windows Defender SmartScreen Bypass,” reads the advisory.

“Public proof-of-concept exploit code exists on the web increasing the risk to organizations who have not yet updated to the latest patched version.”

What’s hot on Infosecurity Magazine?