Mispadu Banking Trojan Exploits Patched Windows SmartScreen Flaw

February 5, 2024

The Mispadu banking Trojan, first observed in 2019, has been updated to exploit a previously patched Windows SmartScreen security bypass flaw, targeting users in Mexico. This new variant, propagated via phishing emails, has been part of a larger family of Latin American banking malware. According to a report published by Palo Alto Networks Unit 42, Mispadu has already harvested 90,000 bank account credentials since August 2022.

The malware leverages CVE-2023-36025, a high-severity bypass flaw in Windows SmartScreen, which was addressed by Microsoft in November 2023. As security researchers Daniela Shalev and Josh Grunzweig explained, "This exploit revolves around the creation of a specifically crafted internet shortcut file (.URL) or a hyperlink pointing to malicious files that can bypass SmartScreen's warnings. The bypass is simple and relies on a parameter that references a network share, rather than a URL. The crafted .URL file contains a link to a threat actor's network share with a malicious binary."

Once launched, Mispadu selectively targets victims based on their geographic location and system configurations, and then establishes contact with a command-and-control (C2) server for data exfiltration. In recent months, the Windows flaw has been exploited by multiple cybercrime groups to deliver DarkGate and Phemedrone Stealer malware. Mexico has also been a prime target for several campaigns that propagate information stealers and remote access trojans like AllaKore RAT, AsyncRAT, Babylon RAT.

A financially-motivated group known as TA558 has been attacking the hospitality and travel sectors in the Latin American region since 2018. In addition, the Russian e-crime group known as FIN7 has been using DICELOADER, a custom downloader, delivered via malicious USB drives. The French cybersecurity firm Sekoia detailed the inner workings of DICELOADER and noted its sophisticated obfuscation methods to conceal the C2 IP addresses and the network communications.

Finally, AhnLab discovered two new malicious cryptocurrency mining campaigns that use booby-trapped archives and game hacks to deploy miner malware that mines Monero and Zephyr.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.