March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Alert – STOP aka DJVU Ransomware – Active IOCs
January 16, 2024
Rewterz Threat Advisory – CVE-2023-46749 – Apache Shiro Vulnerability
January 16, 2024
Rewterz Threat Alert – STOP aka DJVU Ransomware – Active IOCs
January 16, 2024
Rewterz Threat Advisory – CVE-2023-46749 – Apache Shiro Vulnerability
January 16, 2024
Severity
High
Analysis Summary
A new information-stealer campaign dubbed Phemedrone malware exploits a Microsoft Defender SmartScreen flaw to bypass security prompts by Windows when opening URL files. The vulnerability is CVE-2023-36025 which was patched in November 2023 and is marked as actively exploited in cyberattacks.
Phemedrone is an emerging open-source info-stealer malware capable of stealing data from cryptocurrency wallets, web browsers, and apps like Steam, Discord, and Telegram. The stolen data is exfiltrated to the threat actors, later to be used in other malicious activities or sold to other cybercriminals. The attack chain starts with the user clicking on a specially crafted Internet Shortcut (.URL) or a hyperlink that directs to an Internet Shortcut file, resulting in the system being compromised by the threat actor.
The threat actors host the malicious URL files on trustworthy cloud services like FireTransfer.io and Discord, usually disguised with shortener services like shorturl.at. In most cases, when a URL file that is downloaded from the internet is opened, Windows SmartScreen will display a warning prompt telling the user that the file could be dangerous. However, due to the CVE-2023-36025 vulnerability, the prompt isn’t shown and the victims are tricked into opening a malicious URL.
This results in the commands being executed automatically, and the URL file downloads a control panel item (.cpl) file from the actor-controlled server and executes it to launch a malicious DLL payload through rundll32.exe. The DLL is a PowerShell loader posed as a PDF file, a legitimate Windows binary, and ‘wer.dll’ which are used in DLL side-loading to establish persistence.
When the Phemedrone malware is executed on the infected device, it initializes its configuration, decrypts necessary items, harvests data from the targeted applications, and exfiltrates via Telegram. Some of the apps targeted are as follows:
- Chromium browsers: Harvests passwords, cookies, and autofill from browsers and security apps.
- Gecko browsers: Extracts user data from Gecko-based browsers like Firefox.
- Crypto wallets: Extracts data from various crypto wallet apps.
- Discord: Gains unauthorized access by extracting authentication tokens.
- FileGrabber: Collects user files from folders on the computer.
- FileZilla: Captures FTP details and credentials.
- System info: Gathers hardware specs, geolocation, OS details, and screenshots.
- Steam: Accesses files related to the platform.
- Telegram: Extracts user data, focusing on authentication files in the “tdata” folder.
Initially, not many details were known about the exploitation of this vulnerability in the wild, but the proof-of-concept exploits that were published elevated the risk for unpatched Windows systems. Security researchers say that the Phemedrone malware campaign is not the only malware family exploiting the Windows vulnerability.
Impact
- Security Bypass
- Unauthorized Access
- Sensitive Information Theft
Affected Vendors
Microsoft
Affected Products
- Microsoft Windows Server 2019
- Microsoft Windows 10 x64
- Microsoft Windows 10 1809 for 32-bit Systems
- Microsoft Windows 10 1809 for x64-based Systems
- Microsoft Windows 10 1809 for ARM64-based Systems
- Microsoft Windows Server 2012
- Microsoft Windows Server 2012 R2
- Microsoft Windows 10 x32
- Microsoft Windows Server (Server Core installation) 2019
- Microsoft Windows Server (Server Core installation) 2016
- Microsoft Windows Server (Server Core installation) 2012 R2
- Microsoft Windows Server (Server Core installation) 2012
- Microsoft Windows Server for X64-based systems (Server Core installation) 2008 SP2
- Microsoft Windows Server for 32-bit systems 2008 SP2
- Microsoft Windows Server (Server Core installation) 2022
- Microsoft Windows 10 1607 for 32-bit Systems
- Microsoft Windows 10 1607 for x64-based Systems
- Microsoft Windows Server for 32-bit systems (Server Core installation) 2008 SP2
- Microsoft Windows Server 2022
- Microsoft Windows Server for X64-based systems 2008 SP2
- Microsoft Windows 10 21H2 for 32-bit Systems
- Microsoft Windows 10 21H2 for ARM64-based Systems
- Microsoft Windows 10 21H2 for x64-based Systems
- Microsoft Windows Server for X64-based systems 2008 R2 SP1
- Microsoft Windows 11 22H2 for ARM64-based Systems
- Microsoft Windows 11 22H2 for x64-based Systems
- Microsoft Windows Server for X64-based systems (Server Core installation) 2008 R2 SP1
- Microsoft Windows 10 22H2 for x64-based Systems
- Microsoft Windows 10 22H2 for 32-bit Systems
- Microsoft Windows 10 22H2 for ARM64-based Systems
- Microsoft Windows 11 21H2 for ARM64-based Systems
- Microsoft Windows 11 21H2 for x64-based Systems
- Microsoft Windows Server (Server Core installation) 2022 23H2
- Microsoft Windows 11 23H2 for ARM64-based Systems
- Microsoft Windows 11 23H2 for x64-based Systems
Indicators of Compromise
MD5
- b042b2a8981a94b7afe680d94808e9f8
- d06e91a847f4303ca417ec131ac8c038
- 1006ad7046f065da16102c3cb5e6bcb9
- 3b33cead1847d254bb4d0e614c32a9b8
- c90b04b9184f91575d4f12320b4a65ab
SHA-256
- c6765d92e540af845b3cbc4caa4f9e9d00d5003a36c9cb548ea79bb14c7e8f66
- 89caa1568fcff162086dae91e6bd34fd04facba50166ebff800d45a999d0be8b
- ff44e502bd5ea36e17b3fc39b480e65971b36002f27fb441e4acadd6bf604a20
- b37ec923451dd15a0f68df0b392b0f1b243fe50c709de9e574ac14cf6fabdd53
- 568b4b868b225f06bb34da0dc23603c9dedccc2b319353407c814983d5322563
SHA-1
- 52e8602e9137b2e02802512be143bb537cb8d56e
- 1af9adbed06118b6bff63dd65859b0b59b55b4bb
- 4b3a104f1546211c912e1a69c929f800a1e9ceb7
- db9eb5ab2c843aa106f1a517e71640617f85838c
- d2b43ce36084da8bae5b9394927e8463f7545d79
URL
- http://51.79.185.145/pdf/data2.zip/pdf2.cpl
Remediation
- Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Never trust or open links and attachments received from unknown sources/senders.
- Implement multi-factor authentication to add an extra layer of security to login processes.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.