A recent Crypto Siphoning malware campaign called Phemedrone has been discovered. Phemedrone is an information-stealing malware that takes advantage of a Microsoft Windows SmartScreen Vulnerability (CVE-2023-36025). This allows the malware to bypass security prompts on Windows when opening URL files.
Phemedrone is particularly concerning because it can collect sensitive data from web browsers, cryptocurrency wallets, and popular software like Discord, Steam, and Telegram. The stolen data is then sent back to the attackers who may use it for various malicious purposes or sell it to other cybercriminals.
Windows SmartScreen Vulnerability CVE-2023-36025
The Windows defender flaw that CVE-2023-36025, was addressed in the November 2023 Patch Tuesday. It had been actively exploited in attacks before the fix was released.
“The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker,”
Explains the CVE-2023-36025 security advisory.
Initially, limited information was available regarding the exploitation of Windows Defender SmartScreen Vulnerability in real-world scenarios. However, the situation became more concerning when proof-of-concept exploits were published shortly after.
With Windows Smart Screen Flaw Exploited, the risk level has increased for Windows systems that had not yet installed the necessary patch for the Windows SmartScreen Vulnerability.
Researchers at Trend Micro have reported that the Phemedrone campaign is not the only instance where this specific Windows Smart Screen Flaw has been targeted. They have observed other cases involving ransomware as well. This highlights the importance of promptly addressing and patching the vulnerability to mitigate the risk of further attacks.
Windows Smart Screen Bug Evades the Warning Prompt Using the CVE-2023-36095 Exploit
Attackers have been observed hosting malicious URL files on reputable cloud services such as Discord and FireTransfer.io. To make these URLs appear more legitimate and less suspicious, they often use URL shortener services like shorturl.at.
Typically, when a user tries to open a URL file downloaded from the internet or received via email, Windows SmartScreen displays a warning about potential harm to the computer. However, in these attacks, the malicious URL files exploit the CVE-2023-36095 vulnerability in Windows SmartScreen.
As a result, the warning prompt is bypassed, and the command within the file is executed automatically without the victim’s knowledge or consent.
Technical Details of Windows SmartScreen Vulnerability
The URL file, when downloaded, retrieves a control panel item (.cpl) file from the attacker’s control server and executes it. This triggers the launch of a malicious DLL payload through the rundll32.exe process.
The DLL functions as a PowerShell loader and retrieves a ZIP file from a GitHub repository. This ZIP file contains a second-stage loader disguised as a PDF file named “Secure.pdf,” a legitimate Windows binary called “WerFaultSecure.exe,” and a DLL file named “wer.dll.” These files are used for DLL side-loading and establishing persistence on the compromised system.
Once Phemedrone is successfully launched on the compromised system, it initializes its configuration, decrypts necessary components, and proceeds to steal data from targeted applications. Telegram is utilized as the means for data exfiltration.
Targets of the Phemedrone Malware
According to Trend Micro’s report, Phemedrone targets various apps and data as follows:
- Discord: Unauthorized access is gained by extracting authentication tokens.
- Crypto wallets: Data extraction from different crypto wallet apps, such as Atom, Armory, Electrum, and Exodus.
- Chromium browsers: Harvesting of passwords, cookies, and autofill data from browsers and security apps like LastPass, KeePass, Microsoft Authenticator, and Google Authenticator.
- FileGrabber: Collection of user files from folders like Documents and Desktop.
- FileZilla: Capture of FTP details and credentials.
- Gecko browsers: Extraction of user data from Gecko-based browsers like Firefox.
- Telegram: Data extraction with a focus on authentication files in the “tdata” folder.
- Steam: Accessing files related to the Steam platform.
- System info: Gathering of hardware specifications, geolocation, OS details, and screenshots.
Here are the complete list of indicators of compromise (IoCs) for the newly observed Phemedrone campaign.
