New malware discovered that can bypass Windows SmartScreen and steal user data
Named Phemedrone Stealer, it is a strain of data-harvesting malware that focuses on a variety of file types and specific information on popular software products ranging from browsers, file managers, communication platform, and many other types of software.
Phemedrone Stealer even possesses the ability to collect real-time operational details of the target system - including geolocation data such as IP, country, city and postal code - on Windows 10 or 11, and take screenshots in the process. Trend Micro lists the specific targets that the malware targets as follows:
- For Chromium-based browsers, the malware collects password data, cookies, and autofill information stored in applications such as LastPass, KeePass, NordPass, Google Authenticator, Duo Mobile and Microsoft Authenticator, among many others.
- For cryptocurrency wallets, Phemedrone Stealer extracts files from various cryptocurrency wallet applications such as Armory, Atomic, Bytecoin, Coninomi, Jaxx, Electrum, Exodus, and Guarda.
- As for Discord, the malware illegally accessed the user's account.
- As for FileGrabber, malware uses this service to collect user files from specified folders such as Documents and Desktop.
- For FileZilla, Phemedrone Stealer can capture FTP connection details and information from the application.
- As for Gecko, the malware targets Gecko-based browsers to extract user data (Firefox is the most popular.)
- System Information: Phemedrone Stealer collects detailed system information, including hardware specifications, geographic location, and operating system information, as well as taking screenshots.
- Steam: Phemedrone accesses files related to the Steam gaming platform.
- Telegram: The malware extracts user data from the installation directory, specifically targeting authentication-related files in the 'tdata' directory. This includes searching for files based on size and naming style.
An attack vector in this case is represented by crafted .url files that download and execute malicious scripts, bypassing Windows Defender SmartScreen in the process. Therefore, users who are tricked into opening a dangerous file will not see the SmartScreen warning that this type of file is potentially harmful to the computer. Once the malware evades detection, it downloads the payload and establishes a permanent presence in the system.
Searching for specific files and data will take place immediately after. Successfully collected data will be sent to hackers by the malware via the API of Telegram, a popular IM communication platform in several countries around the globe. System information is sent first, followed by a compressed ZIP file containing all collected data.
The good news is that Microsoft addressed the vulnerability CVE-2023-36025 on November 14. Therefore, maintaining the health of IT systems is essential, and regularly applying the latest security patches will ensure Protect yourself against zero-day vulnerabilities that exist but have not been fixed.
You should read it
- What is SmartScreen and why is it running on the computer?
- Detection of Windows SmartScreen vulnerability being exploited to spread DarkGate malware
- A series of malicious applications that collect user data, delete immediately if you are installing
- 2 Dangerous Trojans are being distributed heavily through fake VPN webs
- Fileless malware - Achilles heel of traditional antivirus software
- Researchers create malware based on artificial intelligence
- How to disable SmartScreen feature in Windows 8?
- Instructions to enable or disable SmartScreen on Windows 10
May be interested
- Detect new Android malware fake system update to track and steal user informationthe malware can disguise itself as a system update and is designed to automatically activate whenever new information is entered into a device.
- Top 10 most dangerous malware types with bank accountszeus, spyeye, ice ix or citadel are notorious malware software that can infiltrate user computers, poison and steal personal information and financial data on online bank accounts. online.
- Why is Infostealer malware the biggest new malware concern?often distributed in a malware-as-a-service model, infostealer malware is often used to steal data, remaining hidden for as long as possible.
- Warning: New DISGOMOJI malware uses Discord emoji to steal data!first discovered by security research firm volexity, disgomoji malware can use discord emoji to execute commands on infected devices.
- Detecting new malware on WinRAR can infiltrate computers and steal dataresearchers have discovered a new type of malicious code that could take advantage of the security bug on winrar decompression software to hijack and hijack computers to steal data.
- Chinese antivirus applications secretly collect user datagoogle has removed from play store - then restored to its original state - one of the many anti-virus applications on mobile users, after check point security company discovered this application secretly collected user data collection.
- How to fix 'This app has been blocked for your protection' error on Windows 10 PCthe instructions in this article will help you fix this app has been blocked for your protection, by unblocking apps in windows 10 caused by windows defender smartscreen.
- Detecting a new type of malware that steals Windows passwords, installs a virtual currency mining tool and continues to spread trojansa newly discovered malicious code will reach victims through ads displayed in search results. after successfully reaching the windows computer, it will steal passwords, install cryptocurrency miners and run other trojan delivery tasks.
- Warning: New malware 'Mamont' impersonates Google Chrome to steal informationsecurity researchers recently discovered a new malware called 'mamont', which can impersonate google chrome to trick information theft.
- Discovered a series of Nokia 7 Plus in Europe sending user data to a server in Chinathe recent finding shows that a number of them have not been able to identify the brand-new nokia 7 plus sold in norway that sent user data to china.