Alarm raised over patched Phemedrone Stealer malware that's being used to target Windows PCs - here's what you need to know

Security experts have raised concerns about a new strain of malware, dubbed ‘Phemedrone Stealer’, that is being used to target Windows PCs through a vulnerability in Windows Defender SmartScreen. 

Analysis from Trend Micro describes how a bypass vulnerability in the Windows Defender SmartScreen, tracked as CVE-2023-36025, is being exploited in a new malware campaign despite a patch having been issued late last year. 

The bypass vulnerability allows threat actors to gain access to a user’s system and circumvent the SmartScreen feature’s checks and their associated prompts.

Phemedrone Stealer is then used to exfiltrate sensitive information from web browsers, cryptocurrency wallets, and messaging platforms such as Telegram or Discord.

The malware targets specific types of sensitive information depending on the source application, researchers said. For example, it harvests passwords, cookies and autofill information stored in password managers and authenticators of chromium-based browsers.

Once stolen, Phemedrone Stealer sends the data to the threat actors via a Telegram channel or the attacker’s command and control (C&C) server.

The report noted that despite the fact Microsoft patched the vulnerability on 14 November 2023, researchers have observed its use in the wild and that a large number of devices globally may still be vulnerable to this attack. 

Evidence of threat actors exploiting the vulnerability in the real world led the Cybersecurity and Infrastructure Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) list.

Here’s how Phemedrone Stealer works

In their analysis, researchers at Micro Trend found the attackers gain initial access via cloud-hosted URLs using Discord or another cloud service such as FileTransfer.io.

The threat actors try to hide their malicious intent by disguising these URLs to look like reputable sites, the report said.

“The files are also often disguised using URL shorteners such as shorturl.at. An unsuspecting user might then be enticed to or tricked into opening a maliciously crafted .url file that exploits CVE-2023-36025.“

Once the malicious .url file is executed, the attackers employ a number of evasion techniques to avoid being detected on the system and complete the delivery of the payload.

Analysis of Phemedrone Stealer itself shows when executed on the victims PC, it decrypts certain items including a Telegram API token, chat ID, and Email_To mutex. 

“This is done using a predefined salt and encryption key and the RijndaelManaged symmetric encryption algorithm. The process involves removing the "CRYPTED:" prefix from the strings, converting the remaining base64-encoded strings into byte arrays and decrypting these arrays to extract the original plain- text values.”

The malware compresses the stolen data into a ZIP file which it can then send to the attacker via Telegram, after validating the Telegram API token using the TokenIsValid method and making an API call to the app’s getMe endpoint.

The analysis concluded that malware strains such as Phemedrone Stealer emphasize the increasing sophistication of such attacks, where threat actors are able to quickly improve their infection chains using the latest critical vulnerabilities in popular software.