Security News > 2024 > January > Windows SmartScreen flaw exploited to drop Phemedrone malware

Windows SmartScreen flaw exploited to drop Phemedrone malware
2024-01-15 18:32

A Phemedrone information-stealing malware campaign exploits a Microsoft Defender SmartScreen vulnerability to bypass Windows security prompts when opening URL files.

The Microsoft Defender flaw exploited in the Phemedrone campaign is CVE-2023-36025, which was fixed during the November 2023 Patch Tuesday, where it was marked as actively exploited in attacks.

Trend Micro's researchers report that the Phemedrone campaign is not the only malware family they've seen targeting the particular flaw in Windows, with other cases involving ransomware.

Usually, when opening URL files downloaded from the internet or sent via email, Windows SmartScreen will display a warning that opening the file could harm the computer.

When the victim is tricked into opening one of the malicious URL files, they exploit the CVE-2023-36095 flaw in Windows SmartScreen so that this prompt is not shown and the command is executed automatically.

The DLL is a PowerShell loader that fetches a ZIP file from a GitHub repository containing the second-stage loader masqueraded as a PDF file, a legitimate Windows binary, and 'wer.


News URL

https://www.bleepingcomputer.com/news/security/windows-smartscreen-flaw-exploited-to-drop-phemedrone-malware/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-11-14 CVE-2023-36025 Unspecified vulnerability in Microsoft products
Windows SmartScreen Security Feature Bypass Vulnerability
network
low complexity
microsoft
8.8
2023-08-05 CVE-2023-36095 Code Injection vulnerability in Langchain 0.0.194
An issue in Harrison Chase langchain v.0.0.194 allows an attacker to execute arbitrary code via the python exec calls in the PALChain, affected functions include from_math_prompt and from_colored_object_prompt.
network
low complexity
langchain CWE-94
critical
9.8