Threat Intelligence

Novel infostealer spread via Windows Defender SmartScreen flaw

Attacks leveraging an already patched Windows Defender SmartScreen bypass flaw, tracked as CVE-2023-36025, have been launched to facilitate the distribution of the novel Phemedrone Stealer malware, according to The Register.

Numerous Chromium-based browsers and apps, including Google Authenticator, Microsoft Authenticator, LastPass, NordPass, KeePass, and Duo Mobile, have been targeted by Phemedrone for exfiltration of geolocation information, operating system details, and other telemetry, a report from Trend Micro revealed. Initial compromise has been enabled by malicious Internet Shortcut files, which when downloaded trigger the execution of scripts that would prevent SmartScreen from warning users that they are under attack. "Microsoft Windows Defender SmartScreen should warn users with a security prompt before executing the .url file from an untrusted source. However, the attackers craft a Windows shortcut (.url) file to evade the SmartScreen protection prompt by employing a .cpl file as part of a malicious payload delivery mechanism," said researchers, which added the various techniques have also been used by the information-stealing malware to bypass detection.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.