Hackers Exploiting Windows Defender SmartScreen Flaw | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

Hackers actively target and exploit Windows Defender SmartScreen to deceive users and deliver malicious content by creating convincing, misleading websites or applications. 

By evading SmartScreen, the threat actors increase the chances of their malicious content being executed on users’ systems to compromise security. 

This exploitation often involves the use of social engineering tactics to deceive users and bypass the protective features of SmartScreen.

Recently, cybersecurity researchers at Trend Micro discovered that hackers are actively exploiting the Windows Defender SmartScreen flaw, which is tracked as “CVE-2023-36025,” to hijack Windows machines.

Flaw profile

• CVE ID: CVE-2023-36025
• Description: Windows SmartScreen Security Feature Bypass Vulnerability
• Released: Nov 14, 2023
• Last updated: Nov 22, 2023
• CVSS:3.1 8.8 / 8.2

Hackers Exploiting Windows Defender SmartScreen

CVE-2023-36025 in Microsoft Windows Defender SmartScreen allows threat actors to exploit .url files that help in evading security checks. 

The demo codes on social media revealed their use in malware campaigns, including one with a Phemedrone Stealer payload.

To initiate Phemedrone Stealer, threat actors place malicious Internet Shortcut files on Discord or cloud services that are often disguised with URL shorteners. 

Exploiting CVE-2023-36025 makes the users unknowingly open crafted .url files, which help in evading Windows Defender SmartScreen. Executing the file connects to the attacker’s server, downloading and executing a control panel item (.cpl) using a Windows shortcut to bypass SmartScreen. 

Leveraging MITRE ATT&CK T1218.002 the hackers use the Windows Control Panel process to execute a malicious DLL that acts as a loader. The DLL calls on PowerShell to download and execute the next stage from GitHub by featuring an obfuscated loader named “DATA3.txt.” 

Besides this, researchers discovered that the PowerShell commands led to the download of a ZIP file from GitHub containing three files.

Here below we have mentioned those three files:-

• WerFaultSecure.exe
• Wer.dll
• Secure.pdf

The wer.dll file decrypts the second stage loader for persistence by creating scheduled tasks. Techniques like API hashing, string encryption, and VMProtect enhance the evasion mechanism. 

The loader sideloads using DLL spoofing which is executed by WerFaultSecure.exe that triggers the WerpSetExitListeners in wer.dll. 

Dynamic API resolves the hidden imports using CRC-32 hashing. XOR-based algorithms with dynamic key generation complicate string decryption. The second stage comes loaded in secure.pdf, decrypted using SystemFunction032 for RC4 decryption. 

AllocADsMem and ReallocADsMem allocate memory, and VirtualProtect modifies it to Executable-Read-Write. API callback functions redirect execution flow to the second stage by utilizing the CryptCATCDFOpen with the second stage’s Entry Point.

The attacker deployed the Donut second-stage loader, an open-source shellcode enabling the execution of various file types in memory.

Applications & Services Targeted

Here below, we have mentioned all the applications and services that are targeted by the malware:-

• Chromium-based browsers
• Crypto wallets
• Discord
• FileGrabber
• FileZilla
• Gecko
• System Information
• Steam
• Telegram

Despite CVE-2023-36025 patches the threat actors exploit it to bypass the Windows Defender SmartScreen with malware like “Phemedrone Stealer.” 

This case represents the connection between open-source malware and public exploits, highlighting the need for timely software updates and implementations of robust security solutions.

Looking for cost-effective penetration testing services? Try Kelltron’s to assess and evaluate the security posture of digital systems – Free Demo.