The execution of the .url file establishes a connection to an attacker-controlled server to download and execute a control panel item (.cpl) file. Ideally, Microsoft Defender SmartScreen should shoot up warnings and security prompts before executing the .url file from an untrusted source.
“The attackers craft a Windows shortcut (.url) file to evade the SmartScreen protection prompt by employing a .cpl file as part of a malicious payload delivery mechanism,” according to the post. “Threat actors leverage MITRE ATT&CK technique T1218.002, which abuses the Windows Control Panel process binary (control.exe) to execute .cpl files.”
The malicious .cpl file is then executed through the Windows Control Panel process binary to launch the final Phemedrone dropper along with a few other steps to establish persistence. Once launched, Phemedrone initializes configurations and decrypts critical items and credentials from targeted applications on infected systems, including Chromium browsers, crypto wallets, Discord, FileGrabber, FileZilla, System Info, Steam, and Telegram.
Exploitation despite patch
Microsoft had fixed CVE-2023-36025 as part of November 2023 patch Tuesday and had recommended users to update immediately as the bug had high active exploitations.
“Despite having been patched, threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect users with a plethora of malware types,” Trend Micro said. “Public proof-of-concept exploit code exists on the web increasing the risk to organizations who have not yet updated to the latest patched version.”
Trend Micro recommends immediately updating to patched versions of Windows installations, and deploying effective XDR tools to detect, scan, and block malicious content consistently.