Windows PCs are being targeted by a new threat capable of bypassing the antivirus solution Defender, experts warn.
The malware, called Phemedrone Stealer, steals sensitive data from the affected device, such as passwords and authentication cookies, and leaks it to the attackers, according to a new study. report from cybersecurity researchers Trend Micro.
According to the report, the malware looks for sensitive information stored in web browsers, cryptocurrency wallets and messaging platforms such as Telegram, Steam and Discord. It can also take screenshots and siphon hardware, location, and operating system data. The stolen information is then presented to the attackers via Telegram or their command-and-control (C&C) server.
A plaster is available
The malware takes advantage of a vulnerability recently discovered in Microsoft Windows Defender SmartScreen. It is tracked as CVE-2023-36025 and has a vulnerability score of 8.8/10. Described as a Windows SmartScreen security feature that bypasses the vulnerability, this flaw allows cybercriminals to bypass the Defender Smartscreen controls and associated prompts. To exploit this flaw, an attacker would have to create a custom Internet shortcut (.URL), or a hyperlink pointing to a shortcut, and trick the victim into interacting with it.
Microsoft patched the flaw in mid-November 2023, but hackers are still looking for vulnerable devices that haven’t been patched yet, so applying the fix is highly recommended. The evidence of use in the wild even prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its list of known exploited vulnerabilities (KEV).
“It has come to public attention that several demos and proof-of-concept codes have been distributed on social media, detailing the exploitation of CVE-2023-36025,” Trend Micro explains in its article.
“Since details of this vulnerability first came to light, a growing number of malware campaigns, one of which distributes the Phemedrone Stealer payload, have incorporated this vulnerability into their attack chains.”