The researchers from Trend Micro have discovered a previously unknown strain of malware, dubbed Phemedrone Stealer, that is actively exploiting already patched Windows Defender SmartScreen vulnerability CVE-2023-36025, Security Week reports.
Phemedrone Stealer is a data-harvesting malware focusing on a variety of specific types of files and information across a wide range of popular software products – browsers, file managers, and communication platforms, among others.
The malware even collects extensive system details (including geolocation data such as IP, country, city, and postal code) about Windows 10 or 11 and takes screenshots in the process. Trend Micro specifically lists the following targets:
- Chromium-based browsers. The malware harvests data, including passwords, cookies, and autofill information stored in apps such as LastPass, KeePass, NordPass, Google Authenticator, Duo Mobile, and Microsoft Authenticator, among others.
- Crypto wallets. It extracts files from various cryptocurrency wallet applications such as Armory, Atomic, Bytecoin, Coninomi, Jaxx, Electrum, Exodus, and Guarda.
- Discord. Phemedrone extracts authentication tokens from the Discord application, enabling unauthorized access to the user"s account.
- FileGrabber. The malware uses this service to gather user files from designated folders such as Documents and Desktop.
- FileZilla. Phemedrone captures FTP connection details and credentials from FileZilla.
- Gecko. The malware targets Gecko-based browsers for user data extraction. (Firefox being the most popular one.)
- System Information. Phemedrone collects extensive system details, including hardware specs, geolocation, and operating system information, and takes screenshots.
- Steam. Phemedrone accesses files related to the Steam gaming platform.
- Telegram. The malware extracts user data from the installation directory, specifically targeting authentication-related files within the “tdata” folder. This includes seeking out files based on size and naming patterns.
An attack vector in this case is represented by crafted .url files that download and execute malicious scripts, bypassing the Windows Defender SmartScreen in the process. Therefore, the user tricked to open a dangerous file won’t see a SmartScreen warning that this type of file can potentially harm the computer.
Once the malicious software avoids detection, it downloads the payload and establishes a permanent presence in the system.
Then, the search for specific files and information follows. The harvested data are sent to the hackers via the API of Telegram, a popular IM communication platform in some countries around the globe. The system information is sent first, followed by a compressed ZIP file containing all collected data.
The good news is that Microsoft already addressed the CVE-2023-36025 vulnerability on November 14. Therefore, maintaining the necessary IT hygiene and regularly applying the latest security patches should protect you – unlike in the case of many zero-day vulnerabilities living in the wild, yet to be tamed.
Source: Trend Micro via Security Week