Rise of Mispadu Trojan Puts at Risk Windows Smart Screen Security

Nowadays, the threat actors working behind the Mispadu banking Trojan are known as one of the recent dangers. It not only exploits the security of the Windows SmartScreen but also creates vulnerabilities for users living in Mexico.

In the words of the Palo Alto Networks Unit 42, one of the noteworthy facts is that these attacks cause a new variant of the malware. It was initially observed in the year 2019.

Mispadu is known as a Delphi-based information stealer which is circulated through phishing emails. It infects victims, especially in the region namely Latin America. In March 2023, it was disclosed by Metabase Q that Mispadu spam campaigns reaped nearly 90K bank account credentials since the year 2022.

An interesting thing is that Mispadu is also considered an integral part of the big family of LATAM banking malware. Apart from this, last week  Brazilian law enforcement authorities demolished  Grandoreiro.

Unit 42 recognized the advanced infection chain and also employed rogue internet shortcut files. All of these files consisted of bogus ZIP archive files. They leveraged CVE-2023-36025 (CVSS score: 8.8), truly a high-severity flaw in Windows SmartScreen. After some time in November 2023, Microsoft addressed this vulnerability. 

As per the opinion of the security researchers Daniela Shalev and Josh Grunzweig, “This exploitation revolves around the generation of a particularly crafted internet shortcut file (.URL) or a hyperlink pointing to malicious files that are able to bypass SmartScreen's warnings. The bypass is certainly easy and depends on a parameter that references a network share, rather than a URL. The crafted.URL file comprises a link to a threat actor's network share with a malicious binary."

Once Mispadu is installed, it starts disclosing its true colors. Particularly, it targets victims on the basis of their geographical location. Later on, it configures its systems and also makes efforts to make a connection with a server namely-command-and-control (C2) server. The main purpose of doing this is the exfiltration of the follow-on data.

In the last few months, it has been observed that multiple cybercrime groups exploited Windows flaws on a big scale. The key purpose of doing this- deliver DarkGate and Phemedrone Stealer malware.

In the meantime, there can be seen an extensive evolution of Mexico. It appears as the topmost target for various campaigns. Over the last few years, it propagated data stealers and remote access trojans namely- AllaKore RAT, AsyncRAT, and Babylon RAT. It comprises a financially-inspired group dubbed TA558. You will be surprised to know that it has been attacking the hospitality and travel sectors in the LATAM region since 2018.

In the complete development procedure, Sekoi appeared as the mode to provide the users with the details related to the inner workings of DICELOADER. DICELOADER is truly a  time-tested custom downloader which is also famous as Lizar or Tirion. The Russian e-crime group used it for tracking FIN7. Later on, it was observed that malicious USB drives known as  BadUSB, were delivered in the past time. 

In the words of the French cybersecurity firm, Powershell script and a few more malware in the arsenal of intrusion set namely- Carbanak RAT, drop DICELOADER. Along with this, the ultra-modern methods were used for the key purpose of not concealing the C2 IP addresses and the network communications.

In addition to this, it also sticks to the discovery of two new malicious cryptocurrency mining campaigns conducted by AhnLab. Not only this, but it also employs booby-trapped archives and game hacks. The main purpose of doing this is to deploy miner malware that mines Monero and Zephyr.


Latest Updates