A Microsoft Defender SmartScreen vulnerability patched in November has found fresh active exploitation in a Phemedrone information-stealing malware campaign, according to cybersecurity research and development company Trend Micro.

The critical vulnerability, which is tracked as CVE-2023-36025 (CVSS 8.8), allows attackers to bypass Windows Defender SmartScreen checks and their associated prompts.

“During routine threat hunting, Trend Micro uncovered evidence pointing to an active exploitation of CVE-2023-36025 to infect users with a previously unknown strain of Phemedrone Stealer,” Trend Micro said in a blog post. “Since details of this vulnerability first emerged, a growing number of malware campaigns have incorporated this vulnerability into their attack chains.”

As per Microsoft’s security advisory, user interaction is needed to trigger the vulnerability as the “user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker.” The exploit stems from the lack of checks and associated prompts on the internet shortcut (.url) files by Microsoft Defender.

Phemedrone malware targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord on compromised systems.

Using the vulnerability for infection and evasion

The Phemedrone Stealer evaluated by Trend Micro was found to begin infection through attackers hosting malicious URLs on benign cloud services such as Discord and FileTransfer.io, masking them with URL shorteners including shorturl.at. A user is then tricked into clicking this maliciously crafted .url file which exploits CVE-2023-36025 to be executed.