Windows PCs targeted by dangerous new threat that even gets around Defender - and even though there's a fix, you could still be at risk

Be on the lookout for Phemedrone Stealer hitting Windows devices

News By Sead Fadilpašić published 15 January 2024

Windows PCs are being targeted with a new threat that is capable of working around its Defender antivirus solution, experts have warned.

Named Phemedrone Stealer, the malware steals sensitive data from the compromised device, such as passwords and authentication cookies, and leaks it to the attackers, according to a new report from cybersecurity researchers Trend Micro. 

As per the report, the malware looks for sensitive information stored in web browsers, cryptocurrency wallets, and messaging platforms such as Telegram, Steam, and Discord. It can also take screengrabs, and siphon out data on hardware, location, and the operating system. The stolen information is then presented to the attackers via Telegram or their command-and-control (C&C) server. 

A patch is available

The malware leverages a vulnerability that was recently discovered in Microsoft Windows Defender SmartScreen. It’s tracked as CVE-2023-36025 and carries a vulnerability score of 8.8/10. Described as a Windows SmartScreen security feature bypass vulnerability, this flaw allows threat actors to work around Defender Smartscreen checks and the associated prompts. To abuse the flaw, an attacker would need to craft a custom Internet Shortcut (.URL), or a hyperlink that points to a shortcut, and get the victim to interact with it.

Microsoft patched the flaw in mid-November 2023, however, hackers are still on the lookout for vulnerable devices that haven’t been patched, so applying the fix is highly recommended. In fact, the evidence of in-the-wild use has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to the Known Exploited Vulnerabilities (KEV) list. 

“It has come to public attention that various demos and proof-of-concept codes have been circulated on social media, detailing the exploitation of CVE-2023-36025,” Trend Micro explained in its writeup. 

“Since details of this vulnerability first emerged, a growing number of malware campaigns, one of which distributes the Phemedrone Stealer payload, have incorporated this vulnerability into their attack chains.”

More from TechRadar Pro

• This new ChatGPT-powered infostealer is targeting cloud platforms
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors