Unit 42, the cybersecurity research arm of Palo Alto Networks, recently discovered a new malware variant targeting users through a vulnerability in Windows SmartScreen.
Mispadu is a Delphi-based information stealer that seeks to extract sensitive information from victims' endpoints, including banking details.
Last year, Mispadu operators collected approximately 90,000 bank account credentials, Hacker News claims, citing reports from Metabase Q.
Mispadu is after your data.
Mispadu works by exploiting a flaw identified as CVE-2023-36025. This is a high-severity bypass flaw found in Windows SmartScreen that Microsoft fixed in November of last year. It has a severity score of 8.8. Hackers abuse the flaw by creating a custom .URL file, or hyperlink, which then points to a malicious file that can bypass SmartScreen warnings.
SmartScreen is a cloud-based anti-malware component that comes with several Microsoft products, from Windows 8 onwards, including Edge.
“This exploit revolves around the creation of a specifically crafted Internet shortcut (.URL) file or hyperlink that points to malicious files that can bypass SmartScreen warnings,” Unit 42 researchers said in their report. . “The bypass is simple and is based on a parameter that references a network share, rather than a URL. The created .URL file contains a link to the network share of a threat actor with a malicious binary” .
Mispadu only targets victims in Latin America, it was added, and the most recent campaign primarily involves users in Mexico.
Malware is not the only variant that abuses the SmartScreen flaw. Earlier this year, in late January, experts warned that Phemedrone Stealer was abusing the same bug to extract sensitive data. Trend Micro researchers said this malware captured sensitive information stored in web browsers, cryptocurrency wallets, and messaging platforms such as Telegram, Steam, and Discord. It also takes screenshots and extracts data about the hardware, location and operating system. The stolen information is then presented to attackers via Telegram or its command and control (C&C) server.
