Mispadu Banking Trojan Bypasses Windows Shield, Targets Mexican Banks

Analysts at Palo Alto Networks have issued a warning about the banking trojan Mispadu, exploiting a recent vulnerability to bypass Windows SmartScreen and compromise users in Mexico.

This malware variant, identified in 2019, has been recently detected and continues to spread via phishing emails. Mispadu is a stealer, developed in Delphi, predominantly targeting users in Latin American (LATAM) countries.

In March 2023, Metabase Q discovered that since August 2022, Mispadu operators had collected at least 90,000 credentials from various banking accounts.

As Palo Alto Networks specialists report, the identified infection chain leverages malicious shortcut files within ZIP archives, exploiting the CVE-2023-36025 issue (rated 8.8 on the CVSS scale) to circumvent Windows SmartScreen.

It’s noteworthy that Microsoft addressed this bug in November 2023, reporting that the vulnerability allowed an Internet Shortcut malicious shortcut to bypass security checks and associated warnings.

“This exploit revolves around the creation of a specifically crafted internet shortcut file (.url) or a hyperlink pointing to malicious files that can bypass SmartScreen’s warnings,” the researchers explained. “The bypass is simple and relies on a parameter that references a network share, rather than a URL. The crafted .url file contains a link to a threat actor’s network share with a malicious binary.”

Mispadu meticulously selects its victims, focusing on their geographic location (America or Western Europe) and system configuration, then establishes contact with a control server for subsequent data theft.

It’s significant to mention that in recent months, the CVE-2023-36025 vulnerability has been repeatedly exploited by malware. For instance, operators of the DarkGate and Phemedrone malware have armed themselves with this bug, stealing confidential data from infected machines and delivering additional payloads to victims’ systems.