This devious new trojan exposes a flaw in Windows SmartScreen to drain victims’ bank accounts
Palo Alto Networks’ cybersecurity research division Unit 42 recently discovered a new malware variant that targets users through a vulnerability in Windows SmartScreen
Mispadu is an infostealer built on Delphi and attempts to extract sensitive information from victims’ endpoints, including banking details.
Last year, Mispadu operators collected approximately 90,000 bank account details, The hacker news claims, citing Metabase Q reports.
Mispadu is after your data
Mispadu uses a flaw tracked as CVE-2023-36025. It is a very serious bypass error in Windows SmartScreen that Microsoft fixed in November last year. It has a severity score of 8.8. The hackers exploit the flaw by creating a custom URL file or hyperlink, which then points to a malicious file that can bypass SmartScreen’s warnings.
SmartScreen is a cloud-based anti-malware component that comes with multiple Microsoft products, starting with Windows 8 and including Edge.
“This exploit revolves around creating a specifically crafted Internet shortcut (.URL) file or hyperlink that points to malicious files that can bypass SmartScreen alerts,” Unit 42 researchers said in their report. “The bypass is simple and relies on a parameter that points to a network share, rather than a URL. The crafted .URL file contains a link to the network share of a threat actor with a malicious binary.”
Mispadu only targets victims in Latin America, it added, with the latest campaign mainly endangering users in Mexico.
The malware is certainly not the only variant that abuses the SmartScreen flaw. Earlier this year, in late January, experts warned that the Phemedrone Stealer was exploiting the same flaw to extract sensitive data. Trend Micro researchers say this malware has obtained sensitive information stored in web browsers, cryptocurrency wallets and messaging platforms such as Telegram, Steam and Discord. It also takes screenshots and extracts hardware, location, and operating system data. The stolen information is then presented to the attackers via Telegram or their command-and-control (C&C) server.