Hackers exploit Windows Defender SmartScreen flaw to spread data stealer malware

published: Jan. 12, 2024

Take action: The obvious solution to this attack is to patch your Windows and update your Windows Defender. Then be careful of unexpected messages and any .URL files being sent to you. Those are mostly malicious.

Learn More

A malware campaign has been discovered exploiting CVE-2023-36025 (CVSS score 8.8), a vulnerability in Microsoft Windows Defender SmartScreen. CVE-2023-36025 is a critical flaw in Microsoft Windows Defender SmartScreen, allowing cybercriminals to bypass security alerts by manipulating Internet Shortcut (.url) files. Despite a patch released by Microsoft on November 14, 2023, the vulnerability remains a popular tool for attackers and is listed on CISA’s Known Exploited Vulnerabilities catalog.

The flaw is used to disseminate the Phemedrone Stealer malware. This malware is designed to  extract a variety of sensitive data and starts its infection process through cloud-hosted malicious URL files, often concealed with URL shorteners. These files, when executed, exploit the CVE-2023-36025 vulnerability, triggering the malware's download.

Internet Shortcut files, commonly known with the file extension ".url", are a type of file used primarily in Windows operating systems to create shortcuts to web pages.

The campaign is primarily active on social media, where hackers distribute seemingly harmless URL files. Once clicked, these URLs connect to a GitHub repository that delivers the necessary shellcode to download and execute the malicious payload. This technique is effective in exploiting user trust, bypassing spam filters, and system protection since GitHub is usually a trusted URL.

The malware compiles system data into a ZIP file and sends it to the attackers through Telegram.

Users are advised to regularly updating OS and applications, exercise caution with Internet Shortcut files, implementing advanced security solutions for additional protection, and being cautions of the risks of phishing and social engineering.

Hackers exploit Windows Defender SmartScreen flaw to spread data stealer malware