Hackers are always looking for clever ways to get around the best antivirus software so that they can successfully deliver malware, and now it appears they’ve figured out how to bypass one of the security mechanisms built into Windows Defender.
Even though you may not have heard of Windows SmartScreen before, you’re more than likely familiar with the feature. You see, when you download URL files online, there’s usually a security warning that pops up to let you know that these types of files may be dangerous. However, by exploiting this vulnerability in Windows SmartScreen, hackers can turn these prompts off entirely, resulting in more users opening their malicious files.
If you’re worried about accidentally downloading a dangerous file and infecting your own PC with malware, here’s everything you need to know about this new campaign along with some tips to help keep you safe online.
Bypassing SmartScreen to install malware
According to a new report from Trend Micro, other malware families in addition to Phemedrone have been abusing this Windows SmartScreen vulnerability to trick unsuspecting users into opening dangerous files.
One of the ways in which the hackers behind this and similar campaigns make their malicious files look less dangerous is by hosting them on trustworthy cloud services such as Discord or FileTransfer.io. They also URL shortener services to further disguise them.
After one of these malicious URL files is opened, it then downloads a control panel item (.cpl) file from a command-and-control (C&C) server run by the hackers behind this campaign. This is used to launch a PowerShell loader that fetches a malicious ZIP file that contains the Phemedrone malware disguised as a PDF file labeled “Secure.pdf.”
Once the Phemedrone malware is installed on a victim’s PC, it can harvest passwords, cookies and autofill data from Chromium-based browsers as well as a few of the best password managers including LastPass and KeePass. However, it can also steal funds from crypto wallets as well as files and folders stored on a victim’s PC.
How to stay safe from Windows malware
SmartScreen has already been patched. This means that updating your PC with the latest Windows security updates should be enough to keep you safe from any attacks exploiting this high-severity flaw.
Like they often do, hackers love to prey on users that have yet to update the best laptops and the best computers with the latest software. Even though it may seem annoying at times, installing updates from Microsoft as soon as they become available is one of the easiest ways to stay safe from hackers and other cybercriminals.
Since attacks like the one described above are able to bypass the best Windows antivirus software, it’s up to you to avoid downloading and trying to open potentially dangerous files. If you don’t pirate games or movies, you’re already off to a good start since a lot of malware is spread this way. Likewise though, you also want to be extra careful when downloading files from colleagues, friends and even your family. This is because hackers may have compromised their accounts and may be trying to use their contacts as a means to spread their malicious payloads even further.
For this reason, you want to stick to downloading files from trusted sites and sources as Google, Microsoft and other tech giants frequently scan files stored on the best cloud storage services for malware and other threats.
While the flaw in Windows SmartScreen may have been fixed, this likely isn’t the last we’ve seen of it as hackers will probably continue to exploit this vulnerability in their attacks even though it has already been patched.
More from Tom's Guide
Get the BEST of Tom’s Guide daily right in your inbox: Sign up now!
Upgrade your life with the Tom’s Guide newsletter. Subscribe now for a daily dose of the biggest tech news, lifestyle hacks and hottest deals. Elevate your everyday with our curated analysis and be the first to know about cutting-edge gadgets.
Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.