This blog post comes from the Phemedrone Stealer Technical Analysis report. If you want to download it as a PDF click here
Executive Summary
Phemedrone stealer malware distinguishes itself through its advanced mechanisms for evading detection, its capability to extract a wide range of sensitive data—including passwords, financial information, and personal identification details—and its flexible architecture that allows it to be updated by its operators to counter cybersecurity measures. Its distribution mode often involves phishing campaigns, malicious attachments, or exploiting software vulnerabilities, making it a formidable threat to individual users and organizations.
This technical analysis report aims to dissect the Phemedrone stealer malware, offering insights into its operational framework, distribution methods, and the nature of the data it targets. By delving into its technical characteristics, we seek to understand the malware’s behavior, its interaction with infected systems, and how it communicates with command and control (C2) servers.
Phemedrone, distributed using advertising and detected security vulnerabilities in campaigns since August 2023, can easily be developed to have new features and capabilities thanks to its modular structure.
In addition to the sensitive data it targets, such as browser history, cookies, autofill data, and credit card information, it also targets various browser extensions, wallets, and popular applications such as Telegram, Steam, and Discord.
Although no specific method is followed when transferring the data to the attacker, it is transferred to the attacker as a ZIP archive file via Telegram. Apart from basic anti-analysis methods, we could not detect any effort to ensure permanence in the system or make analysis difficult.
Scope
| Filename | system.exe |
| Filetype | Win32 EXE |
| Written Language | NET |
| MD5 | cd185658b5cf51fb294218ada2f624e1 |
| SHA1 | 96c8758b3fe24fa31b17e65237e6b1df8e2c0f54 |
| SHA256 | 8873bffb719dfe5a4fdba98f04bb61c079eb678c93079851cd34ebadcc9e2e26 |
| First Seen / Detection Date | 2024-01-23 |
| Initial Infection Vector | Exploit Public-Facing Application, Phishing |
MITRE ATTA&CK Threat Matrix
- TA0001 – Initial Access
- T1566 – Phishing
- TA0002 – Execution
- T1204 – User Execution
- T1569 – System Services
- TA0005 – Defense Evasion
- T1497 – Virtualization/Sandbox Evasion
- TA0007 – Discovery
- T1016 – System Network Configuration Discovery
- T1497 – Virtualization/Sandbox Evasion
- T1614 – System Location Discovery
- T1518 – Software Discovery
- TA0009 – Collection
- T1560 – Archive Collected Data
- TA0011 – Command And Control
- T1573 – Encrypted Channel
- TA0010 – Exfiltration
- T1048 – Exfiltration Over Alternative Protocol
Conclusion
Mitigation Strategies
- Use multi-factor authentication (MFA) and limit user privileges based on roles to minimize the malware’s spread and impact.
- Regularly update operating systems, applications, and antivirus software to protect against known vulnerabilities.
- Immediately disable any user accounts that are suspected of being compromised.
- Force a password reset for all user accounts, especially those that were compromised or have elevated privileges.
You can find the IoCs and Yara Rules in the Brandefense GitHub Repository.
This blog post comes from the Phemedrone Stealer Technical Analysis report. If you want to download it as a PDF click here
