Windows Defender Vulnerability Exploited: Phemedrone Stealer Threatens PC Security
Criminals are exploiting a Windows Defender SmartScreen bypass vulnerability to infect PCs with Phemedrone Stealer, a malware strain. This malware scans machines for sensitive information, such as passwords, cookies, and authentication tokens, to grab and leak.
Microsoft patched the vulnerability (CVE-2023-36025) in November, which allowed Phemedrone and other malicious software to bypass Windows protections. After the patch, miscreants reverse-engineered it to create a proof-of-concept exploit, making it crucial to update Windows machines.
Windows Defender Vulnerability Exploited: Phemedrone Stealer Threatens PC Security
Trend Micro researchers detail the Phemedrone info-stealer in a recent publication. The malware targets various browsers and applications, including Chromium-based browsers, LastPass, KeePass, NordPass, Google Authenticator, Duo Mobile, and Microsoft Authenticator.
Check Also: Google Account Vulnerability: Malware Utilizes Cookies for Unauthorized Access
Phemedrone steals sensitive information like passwords and cookies and can be used to log into victims’ online accounts. It also targets cryptocurrency wallets, messaging apps like Discord and Telegram, and login details for the Steam gaming platform. The malware gathers telemetry, including hardware specs, geolocation data, and OS information, and sends it to attackers.
Victims are infected by downloading and opening a malicious .url file, exploiting CVE-2023-36025 to evade Windows SmartScreen.
- The .url file downloads and opens a .cpl file, a Windows control panel item. It leads to infection without SmartScreen warnings.
- The .cpl file is a .dll, executing when opened, acting as a loader calling on PowerShell to execute the next stage of the attack.
Another PowerShell loader, DATA3.txt, is downloaded from GitHub, opening a .zip with three parts: WerFaultSecure.exe, Wer.dll, and Secure.pdf.
The malware uses obfuscation techniques to mask its contents and evade detection. Upon execution, the Phemedrone Stealer decrypts details to access the Telegram API and begins exfiltrating victim information.
You May Also Like: Malware Alert: Google Accounts at Risk from Sophisticated Cyber Threat
PTA Taxes Portal
Find PTA Taxes on All Phones on a Single Page using the PhoneWorld PTA Taxes Portal
Explore NowFollow us on Google News!