Be on the lookout for Phemedrone Stealer hitting Windows devices
Windows PCs are being targeted with a new threat that is capable of working around its Defender antivirus solution, experts have warned.
Named Phemedrone Stealer, the malware steals sensitive data from the compromised device, such as passwords and authentication cookies, and leaks it to the attackers, according to a new report from cybersecurity researchers Trend Micro.
As per the report, the malware looks for sensitive information stored in web browsers, cryptocurrency wallets, and messaging platforms such as Telegram, Steam, and Discord. It can also take screengrabs, and siphon out data on hardware, location, and the operating system. The stolen information is then presented to the attackers via Telegram or their command-and-control (C&C) server.
A patch is available
The malware leverages a vulnerability that was recently discovered in Microsoft Windows Defender SmartScreen. It’s tracked as CVE-2023-36025 and carries a vulnerability score of 8.8/10. Described as a Windows SmartScreen security feature bypass vulnerability, this flaw allows threat actors to work around Defender Smartscreen checks and the associated prompts. To abuse the flaw, an attacker would need to craft a custom Internet Shortcut (.URL), or a hyperlink that points to a shortcut, and get the victim to interact with it.
Microsoft patched the flaw in mid-November 2023, however, hackers are still on the lookout for vulnerable devices that haven’t been patched, so applying the fix is highly recommended. In fact, the evidence of in-the-wild use has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to the Known Exploited Vulnerabilities (KEV) list.
“It has come to public attention that various demos and proof-of-concept codes have been circulated on social media, detailing the exploitation of CVE-2023-36025,” Trend Micro explained in its writeup.
“Since details of this vulnerability first emerged, a growing number of malware campaigns, one of which distributes the Phemedrone Stealer payload, have incorporated this vulnerability into their attack chains.”