CVE-2023-36025

Vulnerability updated 3 months ago (2024-08-14T09:33:38.062Z)

Download STIX

Preview STIX

CVE-2023-36025 is a significant vulnerability identified in the Windows SmartScreen security feature. It was one of three zero-day vulnerabilities discovered, with the others being CVE-2023-36033, a privilege escalation vulnerability in the Windows DWM Core Library, and CVE-2023-36036, another privilege escalation vulnerability affecting the Windows Cloud Files Mini Filter Driver. This flaw allows threat actors to bypass security measures when a user executes a malicious Internet Shortcut (.url) file. Despite Microsoft issuing a patch for this vulnerability in November 2023, it continues to be exploited by malware distributors. The exploitation of CVE-2023-36025 has been linked to various malware campaigns, including the delivery of powerful info-stealers such as DarkGate, Phemedrone Stealer, and Mispadu. In particular, a variant of the Phemedrone Stealer has been actively exploiting this flaw, leveraging it to bypass Windows security prompts when opening URL files. Researchers at Trend Micro were among those who discovered and reported this flaw to Microsoft, highlighting its critical nature due to its ability to affect all supported Windows versions. Given the public disclosure of technical details and the existence of proof-of-concept exploit code on the web, organizations are at an increased risk if they have not updated their systems to the latest patched version. To mitigate the risk posed by the Microsoft Windows Defender SmartScreen Bypass (CVE-2023-36025), organizations are strongly urged to update their Microsoft Windows installations. The continued exploitation of this vulnerability underlines the importance of timely system updates and robust cybersecurity practices.

Description last updated: 2024-08-14T08:44:38.188Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Microsoft

Malware

Windows

Exploit

Trojan

Styx

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Phemedrone Stealer Malware is associated with CVE-2023-36025. Phemedrone Stealer is a malicious software (malware) that infiltrates systems to exploit and damage them, often stealing personal information or disrupting operations. This malware can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. It was observ	Unspecified	6
The Phemedrone Malware is associated with CVE-2023-36025. Phemedrone is a type of malware, or malicious software, that can infiltrate systems through various channels such as suspicious downloads, emails, or websites. Once inside a system, it can wreak havoc by stealing personal information, disrupting operations, or even holding data hostage for ransom. I	Unspecified	5
The Mispadu Malware is associated with CVE-2023-36025. Mispadu is a malicious software (malware) that has been used to exploit and damage computer systems, often infiltrating the system through suspicious downloads, emails, or websites. It was first uncovered by Eset in 2019, who detailed its theft of money and credentials from Spanish- and Portuguese-s	Unspecified	2
The Darkgate Malware is associated with CVE-2023-36025. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicio	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Battleroyal Threat Actor is associated with CVE-2023-36025. BattleRoyal, a threat actor group, has been observed using a variety of attack channels to deliver the DarkGate remote access trojan (RAT). These include phishing emails, fake browser updates, traffic distribution systems (TDSs), malicious VBScript, steganography, and notably, a Windows SmartScreen	Unspecified	3

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-36033 Vulnerability is associated with CVE-2023-36025. CVE-2023-36033 is a high-severity privilege escalation vulnerability discovered in the Windows Desktop Window Manager (DWM) Core Library. This flaw was detected as one of the zero-days being exploited in the wild, along with two other vulnerabilities (CVE-2023-36025 and CVE-2023-36036). An attacker	Unspecified	2
The vulnerability CVE-2023-36036 is associated with CVE-2023-36025.	Unspecified	2

Source Document References

Information about the CVE-2023-36025 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	3 months ago	'Styx Stealer' Blows Its Own Cover With Sloppy OpSec Mistake
Checkpoint	3 months ago	Unmasking Styx Stealer: How a Hacker's Slip Led to an Intelligence Treasure Trove - Check Point Research
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
CERT-EU	10 months ago	Windows SmartScreen bug exploited to deliver powerful info-stealer (CVE-2023-36025)
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 2
Checkpoint	4 months ago	Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112) - Check Point Research
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	5 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs	8 months ago	Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs	8 months ago	Security Affairs newsletter Round 464 by Pierluigi Paganini