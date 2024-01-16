A Microsoft Defender SmartScreen vulnerability patched in November has found fresh active exploitation in a Phemedrone information-stealing malware campaign, according to cybersecurity research and development company Trend Micro.\n\nThe critical vulnerability, which is tracked as CVE-2023-36025 (CVSS 8.8), allows attackers to bypass Windows Defender SmartScreen checks and their associated prompts.\n\n\u201cDuring routine threat hunting, Trend Micro uncovered evidence pointing to an active exploitation of\u00a0CVE-2023-36025\u00a0to infect users with a previously unknown strain of Phemedrone Stealer,\u201d Trend Micro said in a blog post. \u201cSince details of this vulnerability first emerged, a growing number of malware campaigns have incorporated this vulnerability into their attack chains.\u201d\n\nAs per Microsoft\u2019s security advisory, user interaction is needed to trigger the vulnerability as the \u201cuser would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker.\u201d The exploit stems from the lack of checks and associated prompts on the internet shortcut (.url) files by Microsoft Defender.\n\nPhemedrone malware targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord on compromised systems.\n\nUsing the vulnerability for infection and evasion\n\nThe Phemedrone Stealer evaluated by Trend Micro was found to begin infection through attackers hosting malicious URLs on benign cloud services such as Discord and FileTransfer.io, masking them with URL shorteners including\u00a0shorturl.at. A user is then tricked into clicking this maliciously crafted .url file which exploits CVE-2023-36025 to be executed.\n\nThe execution of the .url file establishes a connection to an attacker-controlled server to download and execute a control panel item (.cpl) file. Ideally, Microsoft Defender SmartScreen should shoot up warnings and security prompts before executing the .url file from an untrusted source.\n\n\u201cThe attackers craft a Windows shortcut (.url) file to evade the SmartScreen protection prompt by employing a .cpl file as part of a malicious payload delivery mechanism,\u201d according to the post. \u201cThreat actors leverage MITRE ATT&CK technique T1218.002, which abuses the Windows Control Panel process binary (control.exe) to execute .cpl files.\u201d\n\nThe malicious .cpl file is then executed through the Windows Control Panel process binary to launch the final Phemedrone dropper along with a few other steps to establish persistence. Once launched, Phemedrone initializes configurations and decrypts critical items and credentials from targeted applications on infected systems, including Chromium browsers, crypto wallets, Discord, FileGrabber, FileZilla, System Info, Steam, and Telegram.\n\nExploitation despite patch\n\nMicrosoft had fixed CVE-2023-36025 as part of November 2023 patch Tuesday and had recommended users to update immediately as the bug had high active exploitations.\n\n\u201cDespite having been patched, threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect users with a plethora of malware types,\u201d Trend Micro said. \u201cPublic proof-of-concept exploit code exists on the web increasing the risk to organizations who have not yet updated to the latest patched version.\u201d\n\nTrend Micro recommends immediately updating to patched versions of Windows installations, and deploying effective XDR tools to detect, scan, and block malicious content consistently.