Update your Windows: Hackers exploit vulnerabilities to steal Bitcoin and cryptocurrencies

a TrendMicro, a cybersecurity company, has made a worrying discovery for cryptocurrency investors using Windows. A critical vulnerability in Windows Defender SmartScreen, identified as CVE-2023-36025, is being actively exploited by hackers.

The flaw allows systems to be infected with a new type of malware called Phemedrone stealerthat focuses on data from web browsers, cryptocurrency wallets and messaging apps like Telegram, Steam and Discord.

According to the company, Phemedrone is dangerous because it can be easily installed on the system, collect detailed system information, take screenshots and send stolen data to hackers.

The malware, developed in C# and maintained on GitHub and Telegram, exploits the flaw by creating Internet shortcut (.url) files that download and run malicious scripts, bypassing Windows Defender scans.

CVE-2023-36025 (Image: TrendMicro)
CVE-2023-36025 (Image: TrendMicro)

Cryptocurrency users are at risk

Although Microsoft released a Windows update to address the vulnerability in November 2023, the continued exploitation of the vulnerability indicates that users have not installed the patch and are still at risk.

As hackers continue to spread the malware on social media and Telegram groups, the Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its list of warnings and Known Exploited Vulnerabilities (KEV).

Basically, all a user has to do to be affected is click on a malicious link, as the infection takes place via URLs, which are often hosted on services such as Discord, FileTransfer.io and disguised with URL shorteners.

Once a user opens the file .urlit initiates a complex infection process, including running a control panel file (.cpl) to bypass Windows Defender security warnings.

The malware then starts sending data to the hackers, including important information about the affected system, covering aspects such as geolocation, hardware specifications, web data statistics, and system security features.

Exfiltrated Data URL Decoded Summary Report (TrendMicro)
Exfiltrated Data URL Decoded Summary Report (TrendMicro)

Affected cryptocurrency wallets

The company recommended that businesses and Windows users immediately update their systems to the latest version that contains the patch for the critical vulnerability.

If the Windows Defender flaw goes unpatched, it could leave users vulnerable to a variety of malware attacks, including stealing cryptocurrency and computer data.

“The malware extracts files from various cryptocurrency wallet applications such as Armory, Atomic, Bytecoin, Coninomi, Jaxx, Electrum, Exodus and Guarda.”says TrendMicro.

CVE-2023-36025 stolen data
CVE-2023-36025 stolen data

It is worth remembering that last year a Brazilian YouTuber lost R$180,000 after downloading software on the Internet, and another YouTuber lost R$100,000 after downloading pirated software. Therefore, users are advised to update their systems.

The malware also collects data including passwords, cookies, and autofill information stored in apps such as LastPass, KeePass, NordPass, Google AuthenticatorDuo Mobile, Microsoft Authenticator, among others.

This means that once the user is infected, all of their information can be stolen, and not just limited to digital assets. With access to victims’ passwords, hackers can gain access to brokerage accounts and drain cryptocurrencies.

TrendMicro also recommends that users avoid opening URL and file shortening links .urlespecially those received from unverified sources, as hackers use link shorteners and file hosting services to spread malware.

Source: Live Coins