New Mispadu banking Trojan exploits Windows SmartScreen flaw
The threat actors behind the Mispadu banking Trojan have become the latest group to exploit a now-patched Windows SmartScreen security bypass vulnerability to compromise users in Mexico.
Palo Alto Networks Unit 42 said in a report released last week that the attacks involved new variants of malware first observed in 2019.
Mispadu is a Delphi-based information-stealing program spread through phishing emails that specifically infects victims in the Latin America (LATAM) region. In March 2023, Metabase Q revealed that the Mispadu spam campaign had harvested no fewer than 90,000 bank account credentials since August 2022.
It is also part of a large family of banking malware in Latin America, including Grandoreiro, which was taken down by Brazilian law enforcement agencies last week.
The latest infection chain identified by Unit 42 employs rogue Internet shortcut files contained in fake ZIP archives that exploit CVE-2023-36025 (CVSS score: 8.8), a high-severity bypass in Windows SmartScreen defect. Microsoft fixed this issue in November 2023.
“This vulnerability revolves around creating a specially crafted Internet shortcut file (.URL) or hyperlink to a malicious file to bypass SmartScreen warnings,” security researchers Daniela Shalev and Josh Grunzweig said.
“The bypass is simple and relies on parameters referencing a network share, rather than a URL. The crafted .URL file contains a link to the threat actor’s network share, which contains the malicious binary.”
Once launched, Mispadu reveals its true colors by selectively targeting victims based on their geographic location (i.e. Americas or Western Europe) and system configuration, then proceeds to establish contact with command and control (C2) servers to conduct Follow-up operations. Regarding data leakage.
In recent months, Windows flaws have been widely exploited by multiple cybercriminal groups to spread DarkGate and Phemedrone Stealer malware.
Mexico has also been a prime target for several campaigns over the past year, which have been found to be spreading message stealers and remote access Trojans such as AllaKore RAT, AsyncRAT, and Babylon RAT. This is a financially motivated group called TA558 that has been attacking the hotel and tourism industry in Latin America since 2018.
The development comes as Sekoia details the inner workings of DICELOADER (also known as Lizar or Tirion), a time-tested custom downloader used by the Russian e-criminal group traced to FIN7. This malware has been observed spreading via malicious USB flash drives (also known as BadUSB) in the past.
“DICELOADER is delivered by a PowerShell script together with other malware from the intrusion set, such as the Carbanak RAT,” the French cybersecurity company said, noting that its sophisticated obfuscation methods hide C2 IP addresses and network communications.
Previously, AhnLab also discovered two new malicious cryptocurrency mining campaigns that used booby-trapped files and game hacks to deploy mining malware that mined Monero and Zephyr.
//platform.twitter.com/widgets.js
from Tech Empire Solutions https://techempiresolutions.com/new-mispadu-banking-trojan-exploits-windows-smartscreen-flaw/
via https://techempiresolutions.com/
from Tech Empire Solutions https://techempiresolutions.wordpress.com/2024/02/05/new-mispadu-banking-trojan-exploits-windows-smartscreen-flaw/
via https://techempiresolutions.com/
from Mary Ashley https://maryashle.wordpress.com/2024/02/05/new-mispadu-banking-trojan-exploits-windows-smartscreen-flaw/
via https://techempiresolutions.com/
Comments
Post a Comment