The worst nightmare of many Windows users is beginning to make its way around the world: a malware that Microsoft was thought to have stopped, continues to wreak havoc. And the worst of all is that their attacks are targeting many of the programs that most users use around the world. From Telegram to Steam, including tools like FileZilla.
In November of last year 2023, the solution to the Microsoft Defender vulnerability CVE-2023-36025 was published. At that point, security experts calmed down. But today updated news arrives that make it clear that we must not let our guard down. Because although there is a solution for the vulnerability, attackers have discovered that there are a large number of users who have not yet updated their computers. And all of them have become the perfect target.
Phemedrone Stealer Malware
The person who has warned of what is happening is the security firm Trend Micro, thanks to which we receive new information that helps us know how to act. The threat that has been detected is called Phemedrone Stealer and is malware with the ability to steal confidential information from the computers of infected users. This data is collected from a wide series of programs like the ones we have already mentioned and many others that we will discuss later.
The risk is so high that the information theft it carries out also makes a copy of cookies, passwords and login names, cryptocurrency wallets and other information stored in the user's browser. They can even take screenshots of the equipment. The stolen data is sent to hackers through a C&C server or through a shortcut in the Telegram tool. From there they are in your hands and you can use them to your advantage with the intention of carrying out different attacks.
It is still very dangerous
We told you that there was a patch issued months ago to combat the infection, but the problem is that the attackers have seen that it is not being installed as much as it should. Therefore, they continue to use a strategy with which, through a .URL file, they can infect computers. And although you might think that transmitting these files would be complicated, the reality is that they are using a wide range of tools to get their way. Furthermore, running it does not activate the Microsoft Defender SmartScreen virus warning window and this confuses the system.
The list produces chills, although, yes, the level of risk is not the same in each of the tools that serve as a means of transmission. In Chromium-based browsers, they steal passwords, stored cookies, autocomplete records, and all elements linked to tools such as Google Authenticator, Microsoft Authenticator, or LastPass. FileGrabber infections are able to access the files that users have on the Desktop and in other folders such as Documents, while FileZilla infections can see all the records stored and the respective ftp addresses.
Additionally, Gecko browsers and all data stored in them, including popular tools such as Firefox, are also at risk. From Discord they steal authentication codes, from Steam private files linked to the system and from Telegram documents that are in the "tdata" folder. In addition, there are different cryptocurrency wallets that are also included in the list of affected services, notable among them Electrum, Atom or Exodus, among others.
In addition to this, the moment malware sneaks into a user's computer through one of these programs, it is also capable of transmitting vital system information to attackers. For example, not only the operating system used, but also the geolocation of the computer, which is quite worrying even with antivirus. Therefore, specialists recommend that the update that patches the CVE-2023-36025 vulnerability be applied as soon as possible, especially since its use is becoming increasingly popular among hackers.