Threat actors were observed exploiting a now-patched security vulnerability in Microsoft Windows to deploy a benzophenone stealer.
Trend Micro researchers Peter Girnus, Aliakbar Zahravi and Simon Zuckerbraun said: “Phemedrone targets web browsers as well as data from cryptocurrency wallets and messaging apps such as Telegram, Steam and Discord.”
“It also takes screenshots and collects system information about hardware, location and operating system details. The stolen data is then sent to the attacker via Telegram or its command and control (C&C) server.”
These attacks exploit CVE-2023-36025 (CVSS score: 8.8), a security bypass vulnerability in Windows SmartScreen that can trick users into clicking a crafted Internet shortcut (.URL) or hyperlink to the Internet. to exploit the vulnerability shortcut file.
Microsoft addressed this actively exploited flaw in the November 2023 Patch Tuesday update.
The infection process involves threat actors hosting malicious Internet shortcut files on cloud services such as Discord or FileTransfer.io, and also using URL shorteners such as URL shorteners to block the links.
Execution of the booby-trapped .URL file allows it to connect to an attacker-controlled server and execute a control panel (.CPL) file by bypassing Windows Defender SmartScreen using CVE-2023-36025.
“When the malicious .CPL file is executed through the Windows Control Panel process binary, it sequentially calls rundll32.exe to execute the DLL,” the researchers said. “This malicious DLL acts as a loader and then calls Windows PowerShell to download and execute the hosted The next phase of the attack on GitHub.”
The subsequent payload is a PowerShell loader (“DATA3.txt”) that acts as a launchpad for Donut, an open source shellcode loader that decrypts and executes Phemedrone Stealer.
Phemedrone Stealer, written in C# and actively maintained by its developers on GitHub and Telegram, helps steal sensitive information from infected systems.
This development once again demonstrates that threat actors are becoming increasingly nimble and rapidly adapting their attack chains to exploit newly disclosed vulnerabilities and cause maximum damage.
“Despite the patch, threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protection, infecting users with multiple malware types, including ransomware and Phemedrone Stealer,” researchers said. Stealing programs.”
