Jump to content
  • New malware bypassing Windows SmartScreen is hungry for your data, and it wants it all


    Karlston

    • 686 views
    • 3 minutes
     Share


    • 686 views
    • 3 minutes

    The researchers from Trend Micro have discovered a previously unknown strain of malware, dubbed Phemedrone Stealer, that is actively exploiting already patched Windows Defender SmartScreen vulnerability CVE-2023-36025, Security Week reports.

     

    Phemedrone Stealer is a data-harvesting malware focusing on a variety of specific types of files and information across a wide range of popular software products – browsers, file managers, and communication platforms, among others.

     

    The malware even collects extensive system details (including geolocation data such as IP, country, city, and postal code) about Windows 10 or 11 and takes screenshots in the process. Trend Micro specifically lists the following targets:

     

    • Chromium-based browsers. The malware harvests data, including passwords, cookies, and autofill information stored in apps such as LastPass, KeePass, NordPass, Google Authenticator, Duo Mobile, and Microsoft Authenticator, among others.
    • Crypto wallets. It extracts files from various cryptocurrency wallet applications such as Armory, Atomic, Bytecoin, Coninomi, Jaxx, Electrum, Exodus, and Guarda.
    • Discord. Phemedrone extracts authentication tokens from the Discord application, enabling unauthorized access to the user's account.
    • FileGrabber. The malware uses this service to gather user files from designated folders such as Documents and Desktop.
    • FileZilla. Phemedrone captures FTP connection details and credentials from FileZilla.
    • Gecko. The malware targets Gecko-based browsers for user data extraction. (Firefox being the most popular one.)
    • System Information. Phemedrone collects extensive system details, including hardware specs, geolocation, and operating system information, and takes screenshots.
    • Steam. Phemedrone accesses files related to the Steam gaming platform.
    • Telegram. The malware extracts user data from the installation directory, specifically targeting authentication-related files within the “tdata” folder. This includes seeking out files based on size and naming patterns.

     

    An attack vector in this case is represented by crafted .url files that download and execute malicious scripts, bypassing the Windows Defender SmartScreen in the process. Therefore, the user tricked to open a dangerous file won’t see a SmartScreen warning that this type of file can potentially harm the computer.

     

    Once the malicious software avoids detection, it downloads the payload and establishes a permanent presence in the system.

     

    Then, the search for specific files and information follows. The harvested data are sent to the hackers via the API of Telegram, a popular IM communication platform in some countries around the globe. The system information is sent first, followed by a compressed ZIP file containing all collected data.

     

    The good news is that Microsoft already addressed the CVE-2023-36025 vulnerability on November 14. Therefore, maintaining the necessary IT hygiene and regularly applying the latest security patches should protect you – unlike in the case of many zero-day vulnerabilities living in the wild, yet to be tamed.

     

    Source: Trend Micro via Security Week

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...