The Mispadu banking Trojan’s threat actors are the most recent to compromise victims in Mexico by taking advantage of a Windows SmartScreen security bypass vulnerability that has since been fixed.
According to a study that was released a week ago, Palo Alto Networks Unit 42 stated that the attacks involve a new strain of the malware that was first discovered in 2019.
A Delphi-based information stealer reported to specifically infect victims in the Latin American (LATAM) region, Mispadu is spread by phishing emails and is known to infect specifically those victims. The information was disclosed by Metabase Q in March 2023, and it was shown that since August 2022, Mispadu spam campaigns had acquired at least 90,000 bank account passwords.
Additionally, it is a member of the wider family of LATAM financial malware, which also includes Grandoreiro, which was disassembled by Brazilian law enforcement authorities the previous week.
The most recent infection chain discovered by Unit 42 makes use of malicious internet shortcut files that are encased within bogus ZIP archive files. These files take advantage of a high-severity bypass issue in Windows SmartScreen known as CVE-2023-36025 (CVSS score: 8.8). During the month of November 2023, Microsoft addressed the issue.
“This exploit revolves around the creation of a specifically crafted internet shortcut file (.URL) or a hyperlink pointing to malicious files that can bypass SmartScreen’s warnings,” stated security researchers Daniela Shalev and Josh Grunzweig. “This exploit can be exploited.”
Rather than relying on a URL, the bypass is straightforward and relies on a parameter that makes reference to a network partition. A link to a malicious binary that is stored on a network share belonging to a threat actor is included in the.URL file that was constructed.
Once it has been launched, Mispadu reveals its true nature by selecting targeting victims based on their geographic location (i.e., the Americas or Western Europe) and system configurations. It then proceeds to establish contact with a command-and-control (C2) server in order to carry out subsequent data exfiltration.
In recent months, the Windows vulnerability has been exploited in the wild by a number of different cybercrime groups in order to deliver malware such as DarkGate and Phemedrone Stealer.
Mexico has also emerged as a top target for various campaigns that have been found to transmit information stealers and remote access trojans such as AllaKore RAT, AsyncRAT, and Babylon RAT throughout the course of the past year. They have been determined to be targeting Mexico. This constitutes a financially motivated gang that has been referred to as TA558 and has been attacking the travel and hotel industries in the Latin American and Caribbean region since 2018.
DICELOADER, also known as Lizar or Tirion, is a time-tested custom downloader that is utilised by the Russian e-crime group known as FIN7. Sekoia has documented the inner workings of DICELOADER, which is the source of this development. In the past, it has been noticed that the malware was distributed through the use of infected USB drives, also known as BadUSB.
“DICELOADER is dropped by a PowerShell script along with other malware of the intrusion set’s arsenal such as Carbanak RAT,” the French cybersecurity company stated, highlighting its sophisticated obfuscation tactics to mask the C2 IP addresses and the network interactions. Carbanak RAT is one example of other malware that was dropped by the intrusion set.
It is also in response to AhnLab’s discovery of two new malicious cryptocurrency mining efforts. These campaigns use booby-trapped files and game hacks to distribute miner software that mines Monero and Zephyr.