The Mispadu banking Trojan, a novel variant that initially surfaced in 2019, has resurfaced with a sophisticated attack strategy targeting Latin American countries, particularly Mexico. Palo Alto Networks’ Unit42 researchers recently identified a significant evolution in the Trojan’s capabilities, leveraging a Windows SmartScreen bypass vulnerability, CVE-2023-36025, patched by Microsoft in November 2023.
The updated Mispadu Trojan employs spam emails containing deceptive URLs to circumvent the SmartScreen banner, avoiding warnings about potentially dangerous files. Researchers observed a .url file embedded within a zip archive, downloaded by Microsoft Edge, executing a command to retrieve and execute a malicious binary. This reveals the Trojan’s adaptability in using various distribution methods, including email attachments and downloads from malicious websites.
Unit42 researchers highlighted the Trojan’s advanced features, such as selectively decrypting strings, checking time zone differences, and globally targeting specific regions. Mispadu identifies the victim’s Windows version, performs HTTP/HTTPS check-ins to a remote command-and-control server, and interacts with the victim’s browser history through SQLite. It copies browser history databases, executes queries, and checks URLs against a targeted list using prebuilt SHA256 hashes.
The Trojan primarily focuses on financial institutions and cryptocurrency-related organizations, with a notable emphasis on Latin American countries. The campaign, initially concentrated in Latin America, has expanded its reach to European regions previously unaffected.
The attack chain involves rogue internet shortcut files within fake ZIP archive files, exploiting the Windows SmartScreen bypass flaw. The crafted .URL file contains a link to a threat actor’s network share with a malicious binary. Mispadu selectively targets victims based on their geographic location and system configurations before establishing contact with a command-and-control server for data exfiltration.
This resurgence of the Mispadu banking Trojan highlights the increasing sophistication of cyber threats, exploiting patched vulnerabilities to compromise user security. As the Trojan targets financial institutions and organizations related to cryptocurrency, users are advised to remain vigilant against phishing emails and maintain up-to-date security measures.
In a broader context, the cybersecurity landscape continues to witness new developments, including the exploitation of Windows flaws by various cybercrime groups to deploy malware such as DarkGate and Phemedrone Stealer. Mexico, in particular, has been a prime target for multiple campaigns delivering information stealers and remote access trojans, underscoring the need for enhanced cybersecurity measures in the region.
