Windows SmartScreen bug exploited to deliver powerful info-stealer (CVE-2023-36025)

A vulnerability (CVE-2023-36025) that Microsoft fixed in November 2023 continues to be exploited by malware peddlers: this time around, the delivered threat is a variant of the Phemedrone Stealer.

About the malware

Phemedrone Stealer is a piece of malware written in C#, with no dependencies. It’s capable of:

• Collecting system information (hardware, OS, geolocation) and making screenshots
• Gathering all data contained in the targed device’s memory
• Grabbing user files from specific folders (e.g., Documents, Desktop)
• Grabbing cookies, passwords, and autofills from Chromium-based browsers (Google Chrome, Microsoft Edge, Opera, Brave, etc.) and Gecko-based browsers (e.g., Firefox)
• Extracting sensitive data from password and authenticator apps via extensions installed on Chromium-based browsers
• Grabbing Discord authentication tokens and files related to Steam and Telegram authentication-related files
• Extracting files from popular cryptocurrency wallet apps
• Capturing connection details and credentials for FileZilla (a free FTP solution)

The harvested data is compressed and exfiltrated via the Telegram API.

CVE-2023-36025 exploited

Exploiting CVE-2023-36025 allows attackers to bypass Windows Defender SmartScreen checks and associated prompts, which means that when the victim is tricked into dowloading and opening a malicious file, Windows won’t warn them against it if the service finds the file (or website) suspicious and potentially malicious.

Microsoft released fixes for CVE-2023-36025 on November 2023 Patch Tuesday and warned at the time that the vulnerability was already being leveraged in attacks in the wild.

A week after, the company confirmed that a proof-of-concept exploit had been made public. (Other PoCs and demos have been published since then.)

The vulnerability has previously been abused by attackers to deliver the Remcos, DarkGate and NetSupport remote access trojans.

In this latest campaign, the final malicious payload is the Phemedrone Stealer.

Trend Micro researchers didn’t say how victims are tricked into downloading malicious Internet Shortcut files (.url) hosted on Discord or other cloud services such as FileTransfer.io, but they know that once they execute it, an exploit for CVE-2023-36025 is triggered and a DLL file masquerading as a control panel item (.cpl) file is downloaded.

Phemedrone Stealer’s infection chain (Source: Trend Micro)

“When the malicious .cpl file is executed through the Windows Control Panel process binary, it in turn calls rundll32.exe to execute the DLL. This malicious DLL acts as a loader that then calls on Windows PowerShell to download and execute the next stage of the attack, hosted on GitHub,” they explained.

A number of additional files and scripts are downloaded to achieve persistence and second-stage defense evasion so that Phemedrone Stealer can be installed.

Act now: it may be late, but not too late

“Threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect users with a plethora of malware types,” the researchers noted.

Organizations that haven’t yet updated their Microsoft Windows installations to fix CVE-2023-36025 are urged to do it quickly.