The cybersecurity community has recently identified a new threat known as Phemedrone Stealer, a sophisticated malware that exploits a vulnerability in Microsoft Windows Defender SmartScreen, CVE-2023-36025.
This malware has been designed to steal sensitive data, including credentials from multiple platforms and cryptocurrency wallet information.
Sophisticated Data Theft Tactics
Phemedrone Stealer is a . NET-compiled Trojan Stealer that employs advanced tactics to evade detection and harvest data from infected systems.
It uses a mutex checker to prevent multiple instances. It applies methods to avoid analysis by terminating processes if it detects a virtual machine environment or specific languages associated with the Commonwealth of Independent States (CIS).
Targeting Cryptocurrency Wallets
One of the most alarming capabilities of Phemedrone Stealer is its focus on cryptocurrency wallets.
It targets wallets such as Armory, Atomic, Bytecoin, Coinomi, Jaxx, Electrum, Exodus, and Guarda, attempting to extract sensitive data from specific directories that store transaction records, account information, and cryptographic keys.
The Splunk Threat Research Team has dissected the Phemedrone Stealer, providing insights into its configuration settings and operational patterns.
Command and Control Operations
After collecting data, Phemedrone Stealer organizes it into a zip file named in a specific format that includes the victim’s IP address and active user name, making it easier for attackers to sort through the stolen information.
The C2 server then receives this organized data, including screenshots, system information, and sensitive files from the compromised host.
Evasion and System Information Discovery
Phemedrone Stealer’s evasion techniques are particularly concerning. It checks for virtual machine identifiers and terminates if any are found.
System Information | Technique |
Get AV Product Installed Information | “root\SecurityCenter2”, “SELECT * FROM AntivirusProduct” |
Get CPU Information | “SELECT * FROM Win32_Processor” |
Get Geo Information | hxxp[://]ip-api[.]com/json/?fields=11827 |
Get GPU | “SELECT * FROM Win32_VideoController” |
Get Hardware Information | “SELECT * FROM Win32_Processor” “SELECT * FROM Win32_DiskDrive” |
Get Total RAM | “SELECT * FROM Win32_ComputerSystem” |
Windows | “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion” , “ProductName” |
Additionally, it collects detailed system information from the infected host, including installed antivirus products, CPU, GPU, and hardware information, as well as total RAM and Windows product names, using WMI commands and registry parsing.
Data Collection from Discord, Steam, and Browsers
The malware also targets data from applications like Discord and Steam, extracting account data and activities by querying specific registry keys and file names.
It has a specialized class for extracting data from web browsers, notably Chrome, where it locates critical files to decrypt and extract stored passwords and other sensitive information.
Chrome Extensions in the Crosshairs
Phemedrone Stealer targets specific Chrome extensions related to second-factor authentication, cryptocurrency management, and password management.
It collects information from these extensions and sends it back to its C2 server, potentially compromising sensitive user data.
Indicators and Detection Opportunities
The Splunk Threat Research Team has dissected the Phemedrone Stealer, providing insights into its configuration settings and operational patterns.
They have also developed a Python script, phemdrone_extractor_s.py, to extract configuration data from the malware and have identified over 150 configuration settings related to its campaign.
Phemedrone Stealer is a significant threat due to its ability to exploit a Windows SmartScreen flaw and sophisticated data theft techniques.
Its evasion tactics, targeted data collection, and organized exfiltration methods make it a formidable challenge for cybersecurity defenses.
The cybersecurity community is actively working to understand and mitigate this threat, but users and organizations must remain vigilant and ensure their systems are adequately protected against such sophisticated attacks.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.