Hackers Deploying REMCOS RAT to Exploit Windows SmartScreen Zero-Day Flaws

Microsoft has issued a series of security patches as part of its Patch Tuesday initiative, addressing several vulnerabilities, including three zero-day vulnerabilities. Among these, CVE-2023-36025 stood out, impacting the Windows SmartScreen function.

This particular zero-day vulnerability, rated at 8.8 (High) in severity, was actively exploited by threat actors in real-world scenarios. Identified as a security bypass vulnerability, it necessitates user interaction for successful exploitation.

Windows SmartScreen Zero-day Flaw

The Windows SmartScreen Zero-day Vulnerability targets the SmartScreen feature, which typically warns users about potentially harmful websites and files. Exploiting this vulnerability enables threat actors to create specialized files or hyperlinks capable of circumventing SmartScreen's security alerts.

Notably, the vulnerability was specifically associated with a crafted Internet Shortcut File (.URL) that SmartScreen fails to validate adequately. 

An example of the exploit code is as follows:






In this instance, the URL directs to a malicious website, and the IconFile path may point to a network location under the threat actor's control. This combination allows threat actors to download malicious payloads and execute them on vulnerable systems.

Furthermore, the malicious file's initial distribution might occur through phishing emails or compromised websites. Users who download and click on the malicious internet shortcut file inadvertently trigger the payload, providing threat actors with unauthorized access.

It's important to note that a comprehensive proof of concept for this vulnerability has been published, offering detailed insights into the source code, methodology, and other pertinent information.