How hackers are exploiting a Windows SmartScreen vulnerability to spread malware

If you use a Windows computer, it’s time to update it yet again — before hackers get to you with the latest Windows malware threat. Phemedrone is an open-source malware that targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram and Discord. And, this time, it’s getting to ordinary Windows users simply by getting around antivirus via Windows SmartScreen.

If that sounded like a lot of jibber-jabber, let’s break down what this means exactly, how it works, and what else you need to know so you don’t end up a victim of this clever malware scam.

 

What is Windows SmartScreen?

Before we detail this specific threat, let’s talk about Windows SmartScreen. Windows SmartScreen is a cloud-based, anti-phishing, and anti-malware component found in many Microsoft products, and it determines whether or not a website is potentially malicious to protect users from downloading harmful viruses to their devices. It does this by analyzing webpages and identifying suspicious behavior that could be indicative of malicious sites, apps, and files that could be potentially downloaded.

It has several tactics that it uses to make this determination. Still, essentially if and when it does, it will notify the user via Windows SmartScreen, showing you a warning on the page that lets you know whatever you’re about to do could be dangerous.

Credit: Microsoft Tech Community

 

MORE: WATCH OUT FOR THIS NEW MALICIOUS RANSOMWARE DISGUISED AS WINDOWS UPDATES  

 

How hackers got past Windows SmartScreen

Unfortunately, a vulnerability in Windows Defender known as CVE-2023-36025 was discovered and exploited by hackers back in November 2023, allowing bad actors to sneak past Windows Defender SmartScreen. It did this by hosting the malicious URL — which was shortened to be less suspicious — on a trusted cloud provider, like Discord or Filetransfer.io, though didn’t mention exactly how users were tricked into doing it. After all, this is a sophisticated hack.

Windows recognized these to be safe, while hackers were able to turn off the prompt that would otherwise enable Windows SmartScreen to pop up. As long as someone clicked the URL, Windows SmartScreen didn’t see it as harmful and, therefore, did not give a warning to users.

What would happen after this is that the victim would unknowingly download a control panel item (.cpl) file from a command-and-control, which allows hackers to essentially communicate with and control the device that they’ve compromised. Once they’re in, they launch a PowerShell loader, which grabs a PDF ZIP file labeled “Secure.pdf.” But, that’s no secure PDF…that’s a sneaky file disguising the Phemedrone malware. Then, boom. It’s on your device. And, this is what would happen next.

 

MORE: BEST DESKTOP COMPUTERS FOR 2024 | BEST LAPTOPS FOR 2024 

 

What is this malware capable of?

The type of malware in this particular threat is known as Phemedrone, and no, it’s not the name of medicine — it’s a new open-source malware that has the main goal of stealing data stored in web browsers, funds from your cryptocurrency wallets, and other data, including password managers like LastPass. It can even steal cookies, autofill data, and browser data, as well as any other files and folders on your computer that the hacker wants access to.

And, that’s not all. This malware is also capable of:

  • Collecting system information (hardware, OS, geolocation) and making screenshots
  • Grabbing Discord authentication tokens and files related to Steam and Telegram authentication-related file
  • Capturing connection details and credentials for FileZilla (a free FTP solution)

 

MORE: WHY THAT FREE WINDOWS DOWNLOAD COULD COST YOU MORE THAN YOU BARGAINED FOR 

 

Do software updates regularly to stay safe from threats

Now, the reason you’re here — to protect yourself. New threats are coming out every day as hackers become more savvy and find more loopholes to exploit. But, in the case of this specific threat, Windows patched it up already and introduced the protection in a software update. This means that all you need to do is keep up with your software updates on Windows to protect yourself, which you’d be surprised how many people forget to do or ignore altogether. These software updates are important in keeping you safe, not just from this threat, but any others that may come your way.

Additionally, remember not to open or click on any links or files that you don’t know to be legit. Of course, hackers find sneaky ways to convince you that a link can be trusted even when it’s malicious. But, stick to downloading files and apps from trusted browsers and app stores, and think twice before clicking on links in messaging apps.

 

Always have strong antivirus software on all your devices

An effective antivirus software is a must-have. It’s the best to help stop and alert you of any malware in your system, warn you against clicking on any malicious links in phishing emails, and ultimately protect you from being hacked.  The best way to protect yourself from having your data breached is to have antivirus protection installed on all your devices. Having good antivirus software allows you to be resilient against growing attacks like Phemedrone malware by actively running on your devices. 

Special for CyberGuy Readers:  My #1 pick is TotalAV, and you can get a limited-time deal for CyberGuy readers: $19 your first year (80% off) for the TotalAV Antivirus Pro package.  

Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android & iOS devices.

 

Kurt’s key takeaways

Well, the biggest takeaway from this is that you can never be 100% safe online. Even the tools that are meant to protect you — like Windows SmartScreen — can be exploited from time to time. So, stay vigilant and have good antivirus software running on all your devices.

When was the last time you did a software update? How do you decide when it’s time to perform an update? Let us know in the comments below.

FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

 

 

 

Copyright 2024 CyberGuy.com.  All rights reserved.  CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.

Related posts

Best last minute holiday gifts

Understanding brushing scams and how to protect yourself

From TikTok to trouble: How your online data can be weaponized against you