Home / Threat Intelligence bulletins / Exploitation of Windows SmartScreen vulnerability results in Phemedrone Stealer deployment 

Target Industry 

Indiscriminate, opportunistic targeting. 

Overview  

Intelligence indicates that a recent Windows SmartScreen security flaw, tracked as CVE-2023-36025 (CVSSv3.1 score: 8.8) is being actively exploited by threat actors, resulting in Phemedrone Stealer deployment on target systems. The vulnerability was initially disclosed by Microsoft on 14th 2023, following which the Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog 

 

Following the public disclosure, numerous proof-of-concept (PoC) exploit codes have been released regarding the flaw, and several threat actors have incorporated related exploits within their attack chains. This involves threat actors sending a crafted internet shortcut file (URL) to a target user and convincing the recipient to interact with the link. 

Impact  

Successful exploitation of CVE-2023-36025 would almost certainly result in a threat actor being able to bypass the anti-phishing and anti-malware protection provided by Windows SmartScreen. 

Phemedrone Stealer is an open source infostealer malware that is written in C# and is actively maintained on GitHub and Telegram. Upon infection, Phemedrone Stealer is capable of harvesting sensitive data such as browser information, cryptocurrency wallet funds, and credentials from messaging applications. Additionally, it takes screenshots and gathers systems information, including hardware details and location data, which is subsequently exfiltrated via Telegram or to the threat actor’s command-and-control (C2) infrastructure. 

 Vulnerability Detection 

Security patches regarding CVE-2023-36025 have been released by Microsoft for the affected product. Previous product versions therefore remain vulnerable to potential exploitation. 

Affected Products 

Windows SmartScreen. 

 Containment, Mitigations & Remediations 

It is strongly recommended that the security patches regarding CVE-2023-36025 are applied as soon as possible.  

Indicators of Compromise 

No specific Indicators of Compromise (IoCs) are available currently. 

Threat Landscape 

Information stealing malware, such as Phemedrone Stealer, have become a prevalent infection vector. With Phemedrone Stealer being a ‘Commodity’ information stealer, data harvested by such malware variants are often sold within the illicit marketplace, whereby threat actors have the opportunity to purchase them. The acquisition of the credentials by threat actors will ultimately lead to further targeting, inevitably resulting in the implementation of additional attack vectors, such as ransomware deployment.  

Additionally, information stealer malware variants, such as Phemedrone Stealer, will remain undetected within the target landscape and, as such, it has the ability to execute covertly, without their presence being detected. Further, due to the ease of implementation and the effectiveness of Phemedrone Stealer, it has been assessed to be highly likely that such stealware operators will continue to deploy these malware variants in their respective campaigns to achieve their financially motivated objectives. 

Threat Group 

No attribution to specific threat actors or groups has been attributed to Phemedrone Stealer operations as of the time of writing. 

 Mitre Methodologies 

Tactics: 

TA0005 – Defense Evasion 

Further Information 

Threat Intelligence Outlook 2024

Download our new Threat Intelligence Outlook 2024 report now for a high-level, strategic overview of the emerging cyber threats over the next 12 months.