Mispadu banker exploits bug in Windows SmartScreen

Palo Alto Networks analysts have warned of a new variant of the Mispadu banking trojan that is actively exploiting a recently discovered Windows SmartScreen bypass vulnerability to attack users in Mexico.

This fresh malware variant, though known since 2019, was recently discovered and is still spreading via phishing emails. Mispadu, written in Delphi, mainly targets users in Latin American countries (LATAM) and is used for identity theft.

In March 2023, Metabase Q claimed that Mispadu operators were able to obtain at least 90,000 credentials from users’ bank accounts in a matter of months.

Palo Alto Networks has discovered a new infection chain that uses malicious shortcut files embedded in ZIP archives. This attack exploits the CVE-2023-36025 vulnerability (8.8 CVSS score) to bypass the Windows SmartScreen protection system.

Recall that Microsoft patched this vulnerability in November 2023. The bug allowed malicious Internet Shortcut shortcuts to bypass security checks and associated warnings.

“The exploit is based on creating a special shortcut file (.URL) or hyperlink that points to malicious files that can bypass SmartScreen prohibitions,” the researchers report. – The bypass is simple and is based on a parameter that refers to a network resource rather than a URL. That is, the malicious .URL file contains a link to the attacker’s network share with the malicious binary file.”

Mispadu carefully selects its victims, paying attention to their geographical location (America or Western Europe) and system configuration, and then establishes a connection with the controlling server to steal data.

It is important to note that the CVE-2023-36025 vulnerability has been heavily exploited by various malware in recent months. For example, DarkGate and Phemedrone operators have already exploited this vulnerability to steal sensitive data from infected computers and deliver additional malicious payloads to victims’ systems.

0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment