Palo Alto Networks’ cybersecurity research arm Unit 42 recently discovered a new malware variant targeting users via a vulnerability in Windows SmartScreen
Mispadu is an infostealer built on Delphi, looking to extract sensitive information from victim endpoints, including banking details.
Last year Mispadu’s operators harvested roughly 90,000 bank account credentials, The Hacker News claimss, citing Metabase Q reports.
Mispadu is after your data
Mispadu works by exploiting a flaw tracked as CVE-2023-36025. It is a high-severity bypass flaw found in Windows SmartScreen that Microsoft fixed in November last year. It has a severity score of 8.8. The hackers abuse the flaw by creating a custom .URL file, or a hyperlink, which then points to a malicious file that can work around SmartScreen’s warnings.
SmartScreen is an anti-malware component, running from the cloud, which comes with multiple Microsoft products, from Windows 8 onward, and including Edge.
“This exploit revolves around the creation of a specifically crafted internet shortcut file (.URL) or a hyperlink pointing to malicious files that can bypass SmartScreen’s warnings,” Unit 42 researchers said in their report. “The bypass is simple and relies on a parameter that references a network share, rather than a URL. The crafted .URL file contains a link to a threat actor’s network share with a malicious binary.”
Mispadu only targets victims in Latin America, it was added, with the newest campaign compromising mostly users in Mexico.
The malware is hardly the only variant out there abusing the SmartScreen flaw. Earlier this year, in late January, experts were warning of the Phemedrone Stealer abusing the same flaw to extract sensitive data. Researchers from Trend Micro said this malware grabbed sensitive information stored in web browsers, cryptocurrency wallets, and messaging platforms such as Telegram, Steam, and Discord. It also takes screengrabs, and siphons out data on hardware, location, and the operating system. The stolen information is then presented to the attackers via Telegram or their command-and-control (C&C) server.