This is why we update… Data-thief malware exploits unpatched Windows PCs • The Register

/in


Criminals are exploiting a Windows Defender SmartScreen bypass vulnerability to infect PCs with Phemedrone Stealer, a malware strain that scans machines for sensitive information – passwords, cookies, authentication tokens, you name it – to grab and leak.

The malware abuses CVE-2023-36025, which Microsoft patched in November. Specifically, the flaw allows Phemedrone and other malicious software to sidestep protections in Windows that are supposed to help users avoid running hostile code. When Redmond issued a fix, it warned the bug had already been found by miscreants and exploited in the wild. 

Shortly after Microsoft plugged the hole, the patch was reverse-engineered to produce a proof-of-concept exploit. Now that everyone knows how to attack systems using this vulnerability, update your Windows machines to close off this avenue if you haven’t already.

In research published today, Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun detail the Phemedrone info-stealer, including how it works, how it uses CVE-2023-36025 to infect a PC, and how to detect its presence on a network.

We’re told the malware targets a ton of browsers and applications on victims’ PCs, lifting sensitive info from files of interest and sending the data to fraudsters to exploit. These targets include Chromium-based browsers as well as LastPass, KeePass, NordPass, Google Authenticator, Duo Mobile, and Microsoft Authenticator. Phemedrone looks for things like passwords, cookies, and autofill information to exfiltrate; once this data is in the hands of the malware’s operators, it can be used to log into the victims’ online accounts and cause all sorts of damage and strife.

The code also steals files and other user data from several cryptocurrency wallets and messaging apps including Discord and Telegram, and login details for the Steam gaming platform.

In addition it gathers up a bunch of telemetry, including hardware specs, geolocation data, and operating system information, and takes screenshots, sending all of this off to the attackers via Telegram or to a remote command-and-control server.

Miscreants infect victims’ machines with Phemedrone by tricking marks…

Source…