Windows SmartScreen flaw exploited to drop Phemedrone malware January 15, 2024 https://www.bleepingcomputer.com/ne...en-flaw-exploited-to-drop-phemedrone-malware/ "A Phemedrone information-stealing malware campaign exploits a Microsoft Defender SmartScreen vulnerability (CVE-2023-36025) to bypass Windows security prompts when opening URL files." CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign January 12, 2024 https://www.trendmicro.com/en_ae/re...-for-defense-evasion-in-phemedrone-steal.html "During routine threat hunting, Trend Micro uncovered evidence pointing to an active exploitation of CVE-2023-36025 to infect users with a previously unknown strain of the malware, Phemedrone Stealer." "Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord. It also takes screenshots and gathers system information regarding hardware, location, and operating system details. The stolen data is then sent to the attackers via Telegram or their command-and-control (C&C) server. This open-source stealer is written in C# and is actively maintained on GitHub and Telegram." ... "Despite having been patched, threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect users with a plethora of malware types, including ransomware and stealers like Phemedrone Stealer."
Yes read about it. But what they sadly enough don't explain is if it can also bypass Win Defender? And they also don't explain why the built-in Windows firewall can't block it with default settings.
I would assume anything that can bypass SmartScreen would bypass Defender as well. I would think they use the same definitions/rules. And a default Windows Firewall isn't going to stop you from clicking any link or downloading any file. And it doesn't stop outbound traffic.
Shouldn't "The Microsoft Defender flaw exploited in the Phemedrone campaign is CVE-2023-36025, which was fixed during the November 2023 Patch Tuesday...." mean that if you did get infected your windows wasn't up to date? Or did the CVE-2023-36025 patch not worked as intended?
That would be a faulty assumption as MS Defender relies primarily on cloud-based protection with machine learning, AI, etc. https://learn.microsoft.com/en-us/m...rosoft-defender-antivirus?view=o365-worldwide
Yes, I'm not so sure about this, because SmartScreen is basically a simple whitelist based on reputation from what I understood. But in this case it's likely that Win Defender was bypassed anyway, since it can't always spot infostealers. Win Defender depends too much on the cloud. And what I meant is, why doesn't MS beef up the built-in firewall? They could easily make a whitelist for trusted apps. And powershell.exe shouldn't be one of the trusted processes, obviously. Yes, I believe this is fixed.
