Security News > 2024 > January > Windows SmartScreen flaw exploited to drop Phemedrone malware

A Phemedrone information-stealing malware campaign exploits a Microsoft Defender SmartScreen vulnerability to bypass Windows security prompts when opening URL files.

The Microsoft Defender flaw exploited in the Phemedrone campaign is CVE-2023-36025, which was fixed during the November 2023 Patch Tuesday, where it was marked as actively exploited in attacks.

Trend Micro's researchers report that the Phemedrone campaign is not the only malware family they've seen targeting the particular flaw in Windows, with other cases involving ransomware.

Usually, when opening URL files downloaded from the internet or sent via email, Windows SmartScreen will display a warning that opening the file could harm the computer.

When the victim is tricked into opening one of the malicious URL files, they exploit the CVE-2023-36095 flaw in Windows SmartScreen so that this prompt is not shown and the command is executed automatically.

The DLL is a PowerShell loader that fetches a ZIP file from a GitHub repository containing the second-stage loader masqueraded as a PDF file, a legitimate Windows binary, and 'wer.

News URL

https://www.bleepingcomputer.com/news/security/windows-smartscreen-flaw-exploited-to-drop-phemedrone-malware/