Phemedrone Stealer Detection: Threat Actors Exploit CVE-2023-36025 Vulnerability in Windows SmartScreen to Deploy Malware

This time security researchers report a malicious campaign leveraging a now-patched Windows SmartScreen flaw (CVE-2023-36025) to drop the Phemedrone payload. Phemedrone is an open-source information stealer capable of siphoning data from crypto wallets, chatting apps, popular software, and more.

Detect Phemedrom Stealer 

With over 1 billion malware samples circulating in the cyber domain, security professionals require innovative tools to preempt cyber attacks and defend against emerging threats proactively. To identify malicious activity associated with the latest Phemedron campaign, check out a rule by our keen Threat Bounty developer Kagan Sukur.

Determination of the Persistence Mechanism Used in Phemedrone Stealer Activity (via process_creation)

The rule above helps to detect the Phemedrone persistence mechanism created on the system during its distribution. The detection is compatible with 27 SIEM, EDR, XDR, and Data Lake solutions, mapped to MITRE ATT&CK framework v14, and enriched with extensive threat intelligence, attack timelines, and additional metadata.

In view of hackers weaponizing a security bypass flaw in Widows SmartScreen to proceed with infections, cyber defenders might explore a curated detection stack aimed at CVE-2023-36025 exploits detection. Just hit the Explore Detections button below and drill down to the rules set. 

Explore Detections

Eager to join the collective cyber defense community? Security professionals seeking the opportunity to improve their skill set while networking with peers are more than welcome to become members of SOC Prime’s Threat Bounty Program. 

Phemedrone Stealer Campaign Analysis

Recent inquiry by Trend Micro reveals the details of the latest Phemedrone stealer campaign relying on CVE-2023-36025 for defense evasion and payload deployment. 

Phemedrone stealer is an open-source malware sample actively maintained by its developers via GitHub and advertised in Telegram. The malware can dump data from web browsers, crypto accounts, popular messengers, and apps. Also, Phemedrone is capable of taking screenshots and gathering system information which is further sent to the adversaries via Telegram or C&C server. 

In the ongoing campaign, threat actors trick users into downloading malicious Internet Shortcut files that trigger the infection chain. Typically, attackers disseminate such .URL files via Discord or cloud services masking them with the help of URL shorteners. Once, the user downloads a booby-trapped file, it executes a control panel file circumventing Windows Defender SmartScreen with the CVE-2023-36025 security bypass bug. Further, .CPL files trigger DLL execution which drops a PowerShell loader for Phemedrone. 

Notably, CVE-2023-36025 was addressed by Microsoft back in November 2023. Yet, adversaries still find ways to weaponize the flaw and leverage it in ongoing malicious operations. 

The ever-increasing number of attacks leveraging innovative malicious methods require advanced technologies to stay on top of the trending threats. Security professionals might leverage Uncoder AI, the industry-first IDE for detection engineering to code faster and smarter while instantly translating algorithms into 65 technology language formats.