Analytics Story: Phemedrone Stealer

Date: 2024-01-24 ID: 386f64dd-657b-4dcf-8eb3-5e297d30924c Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Phemedrone Stealer is a potent data-stealing malware designed to infiltrate systems discreetly, primarily targeting sensitive user information. Operating with a stealthy modus operandi, it covertly collects and exfiltrates critical data such as login credentials, personal details, and financial information. Notably evasive, Phemedrone employs sophisticated techniques to bypass security measures and remain undetected. Its capabilities extend to exploiting vulnerabilities, leveraging command and control infrastructure, and facilitating remote access. As a formidable threat, Phemedrone Stealer poses a significant risk to user privacy and system integrity, demanding vigilant cybersecurity measures to counteract its malicious activities.

Why it matters

Phemedrone Stealer, spotlighted in a recent Trend Micro blog, unveils a concerning chapter in cyber threats. Leveraging the CVE-2023-36025 vulnerability for defense evasion, this malware exhibits a relentless pursuit of sensitive data. Originating from the shadows of the dark web, it capitalizes on forums where cybercriminals refine its evasive maneuvers. The blog sheds light on Phemedrone's exploitation of intricate tactics, illustrating its agility in sidestepping security protocols. As cybersecurity experts delve into the intricacies of CVE-2023-36025, the narrative surrounding Phemedrone Stealer underscores the urgency for heightened vigilance and proactive defense measures against this persistent and evolving digital adversary.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Any Powershell DownloadFile	Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer	TTP
Any Powershell DownloadString	Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer	TTP
Download Files Using Telegram	Ingress Tool Transfer	TTP
Non Chrome Process Accessing Chrome Default Dir	Credentials from Password Stores, Credentials from Web Browsers	Anomaly
Non Firefox Process Access Firefox Profile Dir	Credentials from Password Stores, Credentials from Web Browsers	Anomaly
Scheduled Task Deleted Or Created via CMD	Scheduled Task, Scheduled Task/Job	TTP
Schtasks scheduling job on remote system	Scheduled Task, Scheduled Task/Job	TTP
Suspicious Process DNS Query Known Abuse Web Services	Visual Basic, Command and Scripting Interpreter	TTP
Suspicious Process File Path	Create or Modify System Process	TTP
Windows Credentials from Password Stores Chrome Extension Access	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome LocalState Access	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome Login Data Access	Query Registry	Anomaly
Windows Gather Victim Network Info Through Ip Check Web Services	IP Addresses, Gather Victim Network Information	Hunting

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 15	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 22	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4663	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`

References

https://www.trendmicro.com/en_vn/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html

Source: GitHub | Version: 2