Security News > 2024 > January > Windows SmartScreen bug exploited to deliver powerful info-stealer (CVE-2023-36025)

Grabbing Discord authentication tokens and files related to Steam and Telegram authentication-related files.

Exploiting CVE-2023-36025 allows attackers to bypass Windows Defender SmartScreen checks and associated prompts, which means that when the victim is tricked into dowloading and opening a malicious file, Windows won't warn them against it if the service finds the file suspicious and potentially malicious.

Trend Micro researchers didn't say how victims are tricked into downloading malicious Internet Shortcut files hosted on Discord or other cloud services such as FileTransfer.io, but they know that once they execute it, an exploit for CVE-2023-36025 is triggered and a DLL file masquerading as a control panel item file is downloaded.

"When the malicious.cpl file is executed through the Windows Control Panel process binary, it in turn calls rundll32.exe to execute the DLL. This malicious DLL acts as a loader that then calls on Windows PowerShell to download and execute the next stage of the attack, hosted on GitHub," they explained.

A number of additional files and scripts are downloaded to achieve persistence and second-stage defense evasion so that Phemedrone Stealer can be installed.

"Threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect users with a plethora of malware types," the researchers noted.

News URL

https://www.helpnetsecurity.com/2024/01/15/cve-2023-36025-exploited/