Windows SmartScreen Bug Abused to Deploy Phemedrone Stealer

Diving into details

• By tricking users into clicking malicious links, the attackers facilitated the download of a control panel file (.cpl), which then initiated the Phemedrone Stealer.
• The malware targets web browsers, cryptocurrency wallets, and messaging apps to steal sensitive data and is delivered through malicious Internet Shortcut files.
• The stolen data is then sent to the attackers via Telegram or their C2 server. This open-source stealer is written in C# and is actively maintained on GitHub and Telegram.
• The malware uses a multi-stage infection chain with defense evasion techniques, such as DLL sideloading and dynamic API resolving, to achieve persistence and execute its payload.

Why this matters

• Malware like Phemedrone Stealer exemplifies the dynamic and complex nature of cyber threats, demonstrating the agility of cybercriminals in refining their methods by incorporating new exploits for critical flaws in commonly used software. 
• This situation sheds light on the interplay between open-source malware and publicly available proof-of-concept exploits, indicating a significant overlap in the time frame from the release of such proofs to their assimilation into malware attack strategies.

The bottom line