The banking Trojan Mispadu has become the latest cyber threat that exploits a vulnerability in Windows SmartScreen. Mispadu is written in Delphi and is designed to steal the victim's confidential information.
The Unit 42 team (owned by Palo Alto Networks) first detected Mispadu in 2019, and they also identified a new variant of the malware.
The Trojan is distributed in phishing emails. New campaigns are marked by the use of malicious shortcut files packed in a ZIP archive. The malware exploits a vulnerability identified as CVE-2023-36025.
As a reminder, this flaw allows you to bypass the Windows SmartScreen security feature. Microsoft resolved CVE-2023-36025 (CVSS score 8.8) with the November updates.
“Operation relies on specially prepared .URL files (or a hyperlink leading to such a file) that allow SmartScreen warnings to be bypassed,” the researchers write.
“The bypass itself depends on a parameter related to the network share with the malicious binary.”
Once launched, Mispadu establishes a connection to the command server (C2) and sends all stolen data to it.
By the way, in the same November 2023, an exploit to bypass Windows Defender SmartScreen became publicly available. After that, it was only a matter of time before CVE-2023-36025 was used in real cyber attacks.
The Unit 42 team (owned by Palo Alto Networks) first detected Mispadu in 2019, and they also identified a new variant of the malware.
The Trojan is distributed in phishing emails. New campaigns are marked by the use of malicious shortcut files packed in a ZIP archive. The malware exploits a vulnerability identified as CVE-2023-36025.
As a reminder, this flaw allows you to bypass the Windows SmartScreen security feature. Microsoft resolved CVE-2023-36025 (CVSS score 8.8) with the November updates.
“Operation relies on specially prepared .URL files (or a hyperlink leading to such a file) that allow SmartScreen warnings to be bypassed,” the researchers write.
“The bypass itself depends on a parameter related to the network share with the malicious binary.”
Once launched, Mispadu establishes a connection to the command server (C2) and sends all stolen data to it.
By the way, in the same November 2023, an exploit to bypass Windows Defender SmartScreen became publicly available. After that, it was only a matter of time before CVE-2023-36025 was used in real cyber attacks.
