New malware discovered that can bypass Windows SmartScreen and steal user data

International security researchers from the Trend Micro team have just issued an urgent warning about a previously unknown type of malware that is actively exploiting the Windows Defender SmartScreen vulnerability CVE-2023-36025. and compromise the target computer.

Named Phemedrone Stealer, it is a strain of data-harvesting malware that focuses on a variety of file types and specific information on popular software products ranging from browsers, file managers, communication platform, and many other types of software.

Phemedrone Stealer even possesses the ability to collect real-time operational details of the target system - including geolocation data such as IP, country, city and postal code - on Windows 10 or 11, and take screenshots in the process. Trend Micro lists the specific targets that the malware targets as follows:

  1. For Chromium-based browsers, the malware collects password data, cookies, and autofill information stored in applications such as LastPass, KeePass, NordPass, Google Authenticator, Duo Mobile and Microsoft Authenticator, among many others.
  2. For cryptocurrency wallets, Phemedrone Stealer extracts files from various cryptocurrency wallet applications such as Armory, Atomic, Bytecoin, Coninomi, Jaxx, Electrum, Exodus, and Guarda.
  3. As for Discord, the malware illegally accessed the user's account.
  4. As for FileGrabber, malware uses this service to collect user files from specified folders such as Documents and Desktop.
  5. For FileZilla, Phemedrone Stealer can capture FTP connection details and information from the application.
  6. As for Gecko, the malware targets Gecko-based browsers to extract user data (Firefox is the most popular.)
  7. System Information: Phemedrone Stealer collects detailed system information, including hardware specifications, geographic location, and operating system information, as well as taking screenshots.
  8. Steam: Phemedrone accesses files related to the Steam gaming platform.
  9. Telegram: The malware extracts user data from the installation directory, specifically targeting authentication-related files in the 'tdata' directory. This includes searching for files based on size and naming style.

 

Picture 1 of New malware discovered that can bypass Windows SmartScreen and steal user data

An attack vector in this case is represented by crafted .url files that download and execute malicious scripts, bypassing Windows Defender SmartScreen in the process. Therefore, users who are tricked into opening a dangerous file will not see the SmartScreen warning that this type of file is potentially harmful to the computer. Once the malware evades detection, it downloads the payload and establishes a permanent presence in the system.

 

Searching for specific files and data will take place immediately after. Successfully collected data will be sent to hackers by the malware via the API of Telegram, a popular IM communication platform in several countries around the globe. System information is sent first, followed by a compressed ZIP file containing all collected data.

The good news is that Microsoft addressed the vulnerability CVE-2023-36025 on November 14. Therefore, maintaining the health of IT systems is essential, and regularly applying the latest security patches will ensure Protect yourself against zero-day vulnerabilities that exist but have not been fixed.

Update 18 January 2024
Category

System

Mac OS X

Hardware

Game

Tech info

Technology

Science

Life

Application

Electric

Program

Mobile