Numerous Chromium-based browsers and apps, including Google Authenticator, Microsoft Authenticator, LastPass, NordPass, KeePass, and Duo Mobile, have been targeted by Phemedrone for exfiltration of geolocation information, operating system details, and other telemetry, a report from Trend Micro revealed. Initial compromise has been enabled by malicious Internet Shortcut files, which when downloaded trigger the execution of scripts that would prevent SmartScreen from warning users that they are under attack. "Microsoft Windows Defender SmartScreen should warn users with a security prompt before executing the .url file from an untrusted source. However, the attackers craft a Windows shortcut (.url) file to evade the SmartScreen protection prompt by employing a .cpl file as part of a malicious payload delivery mechanism," said researchers, which added the various techniques have also been used by the information-stealing malware to bypass detection.
Threat Intelligence
Novel infostealer spread via Windows Defender SmartScreen flaw
Attacks leveraging an already patched Windows Defender SmartScreen bypass flaw, tracked as CVE-2023-36025, have been launched to facilitate the distribution of the novel Phemedrone Stealer malware, according to The Register.
Numerous Chromium-based browsers and apps, including Google Authenticator, Microsoft Authenticator, LastPass, NordPass, KeePass, and Duo Mobile, have been targeted by Phemedrone for exfiltration of geolocation information, operating system details, and other telemetry, a report from Trend Micro revealed. Initial compromise has been enabled by malicious Internet Shortcut files, which when downloaded trigger the execution of scripts that would prevent SmartScreen from warning users that they are under attack. "Microsoft Windows Defender SmartScreen should warn users with a security prompt before executing the .url file from an untrusted source. However, the attackers craft a Windows shortcut (.url) file to evade the SmartScreen protection prompt by employing a .cpl file as part of a malicious payload delivery mechanism," said researchers, which added the various techniques have also been used by the information-stealing malware to bypass detection.
Numerous Chromium-based browsers and apps, including Google Authenticator, Microsoft Authenticator, LastPass, NordPass, KeePass, and Duo Mobile, have been targeted by Phemedrone for exfiltration of geolocation information, operating system details, and other telemetry, a report from Trend Micro revealed. Initial compromise has been enabled by malicious Internet Shortcut files, which when downloaded trigger the execution of scripts that would prevent SmartScreen from warning users that they are under attack. "Microsoft Windows Defender SmartScreen should warn users with a security prompt before executing the .url file from an untrusted source. However, the attackers craft a Windows shortcut (.url) file to evade the SmartScreen protection prompt by employing a .cpl file as part of a malicious payload delivery mechanism," said researchers, which added the various techniques have also been used by the information-stealing malware to bypass detection.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds