Cybercriminals are exploiting a recently disclosed vulnerability in the Windows SmartScreen filter to covertly install information-stealing malware named Phemedrone Stealer on vulnerable Windows systems. SmartScreen is Microsoft’s built-in browser protection that screens downloads and website visits against a catalogue of known malicious sources.
Researchers disclosed the vulnerability, tracked as CVE-2023-36025, earlier this month. Microsoft has released a patch, but many systems likely remain unpatched and vulnerable to this attack vector.
Timeline of the Phemedrone Campaign
- January 10, 2023 – Vulnerability disclosed allowing bypass of Windows SmartScreen
- January 11, 2023 – Proof-of-concept exploit code published on GitHub
- January 12, 2023 – Attackers incorporate vulnerability into Phemedrone Stealer malware campaign
Technical Details of the Attack Vector
The attackers are utilizing a flaw in the SmartScreen API to disguise malicious payloads as benign files, tricking SmartScreen into classifying them as “approved downloads” rather than suspicious or dangerous.
Specifically, the attackers are manipulating the Server Error Response codes returned from the SmartScreen service. By returning Error Code 204 when checking a file, SmartScreen will add the file to its catalog of approved downloads rather than flagging it as potentially malicious.
With this technique, attackers can bypass SmartScreen to covertly distribute malware to victims without raising warnings or alerts.
Capabilities of the Phemedrone Malware
Phemedrone Stealer is an information-stealing malware designed to extract sensitive data from compromised Windows systems, including:
- Browser cookies, history, passwords, and autofill data
- Cryptocurrency wallets
- VPN configurations
- WiFi passwords
- System credentials
- Clipboard contents
The malware utilizes various techniques to evade detection, maintain persistence on systems, and exfiltrate stolen data back to the attackers’ servers.
Scale and Scope of Attacks
Researchers have observed thousands of attacks attempting to distribute Phemedrone Stealer by exploiting this SmartScreen bypass technique. Attacks have been seen originating from multiple command-and-control servers.
At this point, it is unclear how many systems have been successfully compromised. But given that patching against this vulnerability is still in the early stages, there is concern that a significant number of systems remain vulnerable to this attack vector.
What This Means for Consumers and Organizations
For consumers and organizations running Windows systems, applying the latest patches is critical to close this vulnerability and prevent potential compromise by Phemedrone Stealer.
However, data shows that patching against disclosed vulnerabilities is often delayed. On average, it takes organizations over 25 days to roll out patches after they become available.
Therefore, additional interim protections are prudent, including:
- Enabling antivirus and anti-malware tools
- Exercising caution around downloads and visiting unknown websites
- Monitoring systems for signs of compromise
Proactive measures like these can help mitigate risk while patching processes are underway.
For systems that cannot be patched immediately, such as complex enterprise environments or legacy OS versions that have reached end-of-life, extra vigilance is warranted. Isolating vulnerable systems, intensifying logging/monitoring, or deploying compensating controls like file integrity monitoring or endpoint detection solutions should be considered.
What Happens Next
Researchers expect attackers to continue actively exploiting this vulnerability through Phemedrone Stealer and potentially other malware until patching reaches sufficient levels.
Therefore, maintaining urgency around patching vulnerable Windows systems should be a priority for consumers and enterprises alike.
In addition, researchers will be closely analyzing this campaign’s tactics, techniques and procedures. By better understanding the attackers’ methods, the cybersecurity community can enhance protective measures and resiliency against similar threats.
Proactive cyber defense relies upon this cycle of continuous learning about the evolving threat landscape. While patching addresses immediate risks, ongoing security enhancement driven by threat intelligence ultimately helps strengthen the protection of devices, data, and organizations over time.
| Percentage of Organizations Taking Over 25 Days to Patch Known Vulnerabilties |
|---|
| 60% |
With threat actors actively attempting exploitation of CVE-2023-36025 ahead of reliable patching in many environments, organizations should urgently adopt interim security measures to detect attacks and minimize potential impact from campaigns like Phemedrone Stealer. Continuing the patching cycle and maturing defensive capabilities serve as the long-term solution for managing risk from software vulnerabilities.
To err is human, but AI does it too. Whilst factual data is used in the production of these articles, the content is written entirely by AI. Double check any facts you intend to rely on with another source.
