New Mispadu Banking Trojan Exploits Windows SmartScreen Flaw

Mispadu Banking Trojan

The threat actors behind the Mispadu banking trojan are the latest to exploit a now-patched Windows SmartScreen security flaw to compromise users in Mexico.

The attacks included a new variant of the malware first spotted in 2019, Palo Alto Networks Unit 42 said in a report published last week.

Distributed via phishing emails, Mispadu is a Delphi-based information stealer known to specifically infect victims in the Latin American region (LATAM). In March 2023, Metabase Q revealed that Mispadu spam campaigns have collected no fewer than 90,000 bank account details since August 2022.

It is also part of the larger family of LATAM banking malware, including Grandoreiro, which was dismantled by Brazilian law enforcement authorities last week.

The latest infection chain identified by Unit 42 uses rogue Internet shortcut files in fake ZIP archive files that leverage CVE-2023-36025 (CVSS score: 8.8), a high-severity bypass flaw in Windows SmartScreen. It was addressed by Microsoft in November 2023.

“This exploit revolves around creating a specially crafted Internet shortcut (.URL) file or hyperlink that points to malicious files that can bypass SmartScreen alerts,” said security researchers Daniela Shalev and Josh Grunzweig. said.

“The bypass is simple and relies on a parameter that points to a network share, rather than a URL. The crafted .URL file contains a link to the network share of a threat actor with a malicious binary.”

Once launched, Mispadu reveals its true nature by selectively targeting victims based on their geographic location (i.e. America or Western Europe) and system configurations, then proceeds to establish contact with a command-and-control control (C2) server for follow-up actions. about data exfiltration.

In recent months, the Windows flaw has been exploited by multiple cybercrime groups to spread DarkGate and Phemedrone Stealer malware in recent months.

Mexico has also become a top target in the past year for several campaigns that have been found to be spreading information stealers and remote access trojans such as AllaKore RAT, AsyncRAT, Babylon RAT. This forms a financially motivated group called TA558 which has attacked the hospitality and travel sectors in the LATAM region since 2018.

The development comes as Sekoia has detailed the inner workings of DICELOADER (also known as Lizar or Tirion), a proven custom downloader used by the Russian e-crime group and tracked as FIN7. The malware has been detected Delivered via malicious USB drives (also known as BadUSB) in the past.

“DICELOADER is removed by a PowerShell script together with other malware from the intrusion kit’s arsenal, such as Carbanak RAT,” says the French cybersecurity company saidinvoking his advanced obfuscation methods to hide the C2 IP addresses and network communications.

It also follows AhnLab’s discovery of two new malicious cryptocurrency mining campaigns using booby trap archives And game hacks to deploy mining malware that mines Monero and Zephyr.

#Mispadu #Banking #Trojan #Exploits #Windows #SmartScreen #Flaw

Notify of
Inline Feedbacks
View all comments
Previous Post

Pegasus Spyware targeted iPhones of journalists and activists in Jordan

Next Post
Critical Infrastructure Cyber Attacks

US Sanctions 6 Iranian Officials for Cyberattacks on Critical Infrastructure

Related Posts