The execution of the .url file establishes a connection to an attacker-controlled server to obtain and execute a management panel merchandise (.cpl) file. Ideally, Microsoft Defender SmartScreen ought to shoot up warnings and security prompts earlier than executing the .url file from an untrusted supply.
“The attackers craft a Home windows shortcut (.url) file to evade the SmartScreen safety immediate by using a .cpl file as a part of a malicious payload supply mechanism,” in line with the put up. “Menace actors leverage MITRE ATT&CK approach T1218.002, which abuses the Home windows Management Panel course of binary (management.exe) to execute .cpl recordsdata.”
The malicious .cpl file is then executed by means of the Home windows Management Panel course of binary to launch the ultimate Phemedrone dropper together with just a few different steps to ascertain persistence. As soon as launched, Phemedrone initializes configurations and decrypts essential gadgets and credentials from focused functions on contaminated methods, together with Chromium browsers, crypto wallets, Discord, FileGrabber, FileZilla, System Data, Steam, and Telegram.
Exploitation regardless of patch
Microsoft had fastened CVE-2023-36025 as a part of November 2023 patch Tuesday and had advisable customers to replace instantly because the bug had excessive energetic exploitations.
“Regardless of having been patched, risk actors proceed to search out methods to use CVE-2023-36025 and evade Home windows Defender SmartScreen protections to contaminate customers with a plethora of malware varieties,” Pattern Micro mentioned. “Public proof-of-concept exploit code exists on the net rising the danger to organizations who haven’t but up to date to the newest patched model.”
Pattern Micro recommends instantly updating to patched variations of Home windows installations, and deploying efficient XDR instruments to detect, scan, and block malicious content material constantly.
