Patched Windows SmartScreen bug actively exploited in Phemedrone infections

A Microsoft Defender SmartScreen vulnerability patched in November has found fresh active exploitation in a Phemedrone information-stealing malware campaign, according to cybersecurity research and development company Trend Micro.

The critical vulnerability, which is tracked as CVE-2023-36025 (CVSS 8.8), allows attackers to bypass Windows Defender SmartScreen checks and their associated prompts.

“During routine threat hunting, Trend Micro uncovered evidence pointing to an active exploitation of CVE-2023-36025 to infect users with a previously unknown strain of Phemedrone Stealer,” Trend Micro said in a blog post. “Since details of this vulnerability first emerged, a growing number of malware campaigns have incorporated this vulnerability into their attack chains.”

As per Microsoft’s security advisory, user interaction is needed to trigger the vulnerability as the “user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker.” The exploit stems from the lack of checks and associated prompts on the internet shortcut (.url) files by Microsoft Defender.

Phemedrone malware targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord on compromised systems.

Using the vulnerability for infection and evasion

The Phemedrone Stealer evaluated by Trend Micro was found to begin infection through attackers hosting malicious URLs on benign cloud services such as Discord and FileTransfer.io, masking them with URL shorteners including shorturl.at. A user is then tricked into clicking this maliciously crafted .url file which exploits CVE-2023-36025 to be executed.

The execution of the .url file establishes a connection to an attacker-controlled server to download and execute a control panel item (.cpl) file. Ideally, Microsoft Defender SmartScreen should shoot up warnings and security prompts before executing the .url file from an untrusted source.

“The attackers craft a Windows shortcut (.url) file to evade the SmartScreen protection prompt by employing a .cpl file as part of a malicious payload delivery mechanism,” according to the post. “Threat actors leverage MITRE ATT&CK technique T1218.002, which abuses the Windows Control Panel process binary (control.exe) to execute .cpl files.”

The malicious .cpl file is then executed through the Windows Control Panel process binary to launch the final Phemedrone dropper along with a few other steps to establish persistence. Once launched, Phemedrone initializes configurations and decrypts critical items and credentials from targeted applications on infected systems, including Chromium browsers, crypto wallets, Discord, FileGrabber, FileZilla, System Info, Steam, and Telegram.

Exploitation despite patch

Microsoft had fixed CVE-2023-36025 as part of November 2023 patch Tuesday and had recommended users to update immediately as the bug had high active exploitations.

“Despite having been patched, threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect users with a plethora of malware types,” Trend Micro said. “Public proof-of-concept exploit code exists on the web increasing the risk to organizations who have not yet updated to the latest patched version.”

Trend Micro recommends immediately updating to patched versions of Windows installations, and deploying effective XDR tools to detect, scan, and block malicious content consistently.