TLDR:
The Mispadu banking Trojan has been found to exploit a Windows SmartScreen security flaw to target users in Mexico. The malware, which was first observed in 2019, is spread through phishing emails and infects victims in the Latin American region. The attacks use rogue internet shortcut files contained within fake ZIP archive files to bypass the SmartScreen warnings. Once launched, Mispadu targets victims based on geographic location and system configurations, establishing contact with a command-and-control server for data exfiltration. Mexico has been a popular target for various cybercrime campaigns in the last year.
Key Points:
- The Mispadu banking Trojan is exploiting a Windows SmartScreen security flaw to target users in Mexico.
- The malware is spread through phishing emails and infects victims in the Latin American region.
- Rogue internet shortcut files contained within fake ZIP archive files are used to bypass SmartScreen warnings.
- Mispadu selectively targets victims based on geographic location and system configurations.
- Mexico has been a top target for multiple cybercrime campaigns in the past year.
The Mispadu banking Trojan has joined the ranks of cybercriminals exploiting a now-patched flaw in Windows SmartScreen. Cybersecurity researchers from Palo Alto Networks Unit 42 have identified a new variant of the Mispadu malware that is specifically targeting users in Mexico. Mispadu, a Delphi-based information stealer, has been active since 2019 in the Latin American region and is typically spread via phishing emails.
The latest attacks observed by Unit 42 use rogue internet shortcut files contained within bogus ZIP archive files. These files take advantage of an exploit known as CVE-2023-36025, a high-severity bypass flaw in Windows SmartScreen that was patched by Microsoft in November 2023. The flaw allows the malware to create a specially crafted internet shortcut or hyperlink that references a network share containing malicious files, bypassing SmartScreen’s warnings.
Once launched, Mispadu selectively targets victims based on geographic location (Americas or Western Europe) and system configurations. It then establishes contact with a command-and-control server for further data exfiltration. This latest exploit is part of a larger trend of cybercrime groups targeting Mexico with information stealers and remote access trojans.
Over the past year, Mexico has seen an increase in campaigns targeting the hospitality and travel sectors with malware such as AllaKore RAT, AsyncRAT, and Babylon RAT. These attacks are believed to be carried out by a financially-motivated group known as TA558, which has been active in the Latin American region since 2018.
The discovery of Mispadu’s use of the Windows SmartScreen flaw comes at the same time as other cybersecurity news. French cybersecurity firm Sekoia has detailed the workings of DICELOADER, a custom downloader used by the Russian e-crime group FIN7. DICELOADER has been observed being delivered via malicious USB drives in the past. Additionally, AhnLab has uncovered two new malicious cryptocurrency mining campaigns that use booby-trapped archives and game hacks to deploy miner malware.