SmartWorks Network

  • Home
  • RSS Blog
  • YouTube channels
  • Podcasts
  • Jobs
  • Tools
  • About us
  • Contact

Phemedrone Stealer Detection: Threat Actors Exploit CVE-2023-36025 Vulnerability in Windows SmartScreen to Deploy Malware

by Valentin / Friday, 19 January 2024 / Published in RSS blog posts

Cyber Security Blogs

This time security researchers report a malicious campaign leveraging a now-patched Windows SmartScreen flaw (CVE-2023-36025) to drop the Phemedrone payload. Phemedrone is an open-source information stealer capable of siphoning data from crypto wallets, chatting apps, popular software, and more.

Detect Phemedrom Stealer 

With over 1 billion malware samples circulating in the cyber domain, security professionals require innovative tools to preempt cyber attacks and defend against emerging threats proactively. To identify malicious activity associated with the latest Phemedron campaign, check out a rule by our keen Threat Bounty developer Kagan Sukur.

Determination of the Persistence Mechanism Used in Phemedrone Stealer Activity (via process_creation)

The rule above helps to detect the Phemedrone persistence mechanism created on the system during its distribution. The detection is compatible with 27 SIEM, EDR, XDR, and Data Lake solutions, mapped to MITRE ATT&CK framework v14, and enriched with extensive threat intelligence, attack timelines, and additional metadata.

In view of hackers weaponizing a security bypass flaw in Widows SmartScreen to proceed with infections, cyber defenders might explore a curated detection stack aimed at CVE-2023-36025 exploits detection. Just hit the Explore Detections button below and drill down to the rules set. 

Explore Detections

Eager to join the collective cyber defense community? Security professionals seeking the opportunity to improve their skill set while networking with peers are more than welcome to become members of SOC Prime’s Threat Bounty Program. 

Phemedrone Stealer Campaign Analysis

Recent inquiry by Trend Micro reveals the details of the latest Phemedrone stealer campaign relying on CVE-2023-36025 for defense evasion and payload deployment. 

Phemedrone stealer is an open-source malware sample actively maintained by its developers via GitHub and advertised in Telegram. The malware can dump data from web browsers, crypto accounts, popular messengers, and apps. Also, Phemedrone is capable of taking screenshots and gathering system information which is further sent to the adversaries via Telegram or C&C server. 

In the ongoing campaign, threat actors trick users into downloading malicious Internet Shortcut files that trigger the infection chain. Typically, attackers disseminate such .URL files via Discord or cloud services masking them with the help of URL shorteners. Once, the user downloads a booby-trapped file, it executes a control panel file circumventing Windows Defender SmartScreen with the CVE-2023-36025 security bypass bug. Further, .CPL files trigger DLL execution which drops a PowerShell loader for Phemedrone. 

Notably, CVE-2023-36025 was addressed by Microsoft back in November 2023. Yet, adversaries still find ways to weaponize the flaw and leverage it in ongoing malicious operations. 

The ever-increasing number of attacks leveraging innovative malicious methods require advanced technologies to stay on top of the trending threats. Security professionals might leverage Uncoder AI, the industry-first IDE for detection engineering to code faster and smarter while instantly translating algorithms into 65 technology language formats.

The post Phemedrone Stealer Detection: Threat Actors Exploit CVE-2023-36025 Vulnerability in Windows SmartScreen to Deploy Malware appeared first on SOC Prime.

​Read More

  • Tweet

About Valentin

What you can read next

LummaC Stealer Leveraging Amadey Bot to Deploy SectopRAT
200% Increase in Crime: U.S. Issues Critical Safety Warning to Those Who Use Dating Apps Abroad
2024: The Year of Secure Design

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Sniffnet: Free, open-source network monitoring
  • 90% of threats are social engineering
  • 78% of SMBs fear cyberattacks could shut down their business
  • Chinese attackers leverage previously unseen malware for espionage
  • Long-running Chinese cyberespionage operation targeted Southeast Asian government

Recent Comments

No comments to show.

Recent Posts

  • Sniffnet: Free, open-source network monitoring

    Cyber Security Blogs Sniffnet is a free, open-s...
  • 90% of threats are social engineering

    Cyber Security Blogs In this Help Net Security ...
  • 78% of SMBs fear cyberattacks could shut down their business

    Cyber Security Blogs 94% of SMBs have experienc...
  • Chinese attackers leverage previously unseen malware for espionage

    Cyber Security Blogs Sophos released its report...
  • Long-running Chinese cyberespionage operation targeted Southeast Asian government

    Cyber Security Blogs Researchers have uncovered...

Archives

  • June 2024
  • May 2024
  • March 2024
  • January 2024

Categories

  • RSS blog posts

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Recent Comments

    Featured Posts

    • Sniffnet: Free, open-source network monitoring

      0 comments
    • 90% of threats are social engineering

      0 comments
    • 78% of SMBs fear cyberattacks could shut down their business

      0 comments
    • Chinese attackers leverage previously unseen malware for espionage

      0 comments
    • Long-running Chinese cyberespionage operation targeted Southeast Asian government

      0 comments

    SEARCH

    RECENT POSTS

    • Sniffnet: Free, open-source network monitoring

    • 90% of threats are social engineering

    • 78% of SMBs fear cyberattacks could shut down their business

    TAG CLOUD

    ©2024 All rights Reserved @Smart Works Network

    TOP