A new version of the Mispadu Trojan has emerged, posing a threat to Windows security and targeting banking systems, particularly in Latin American countries such as Mexico. This variant exploits a flaw in Windows SmartScreen, making it especially dangerous for users in these regions.
According to researchers at Unit42, the updated Trojan takes advantage of a Windows SmartScreen bypass vulnerability known as CVE-2023-36025, which Microsoft had previously patched in November 2023. This latest version of the Trojan has evolved to use spam emails containing deceptive URLs, allowing it to bypass SmartScreen warnings that would typically alert users to potentially harmful files.
The distribution method has also expanded to include a “.url” file that executes a command to retrieve and execute a malicious binary. This file path, found within a zip archive downloaded by the Microsoft Edge browser, demonstrates the Trojan’s ability to target victims through various distribution methods, including email attachments or downloads from malicious websites.
Additionally, Unit42 researchers discovered that the Trojan has advanced capabilities, such as selectively decrypting strings, checking time zone differences, and targeting specific global regions. It identifies the victim’s Windows version, performs an HTTP/HTTPS check-in to a remote command-and-control server, and interacts with the victim’s browser history via SQLite, copying browser history databases, executing queries against them, and checking URLs against a targeted list using prebuilt SHA256 hashes.
The primary targets of the Trojan are URLs belonging to financial institutions and organizations related to cryptocurrency, with a focus on Latin American countries, particularly Mexico. The researchers also noted that the campaign has expanded to target regions in Europe that were not previously targeted.
This is not the first time the Mispadu Trojan has caused concern. Eset first discovered the Mispadu Stealer in 2019, detailing how it had stolen money and credentials from Spanish- and Portuguese-speaking victims. Over time, the Trojan’s development has evolved to become more sophisticated, posing an increased threat to the Windows security and banking systems it targets.
The emergence of this new Mispadu Trojan variant serves as a reminder of the ever-present danger posed by cybercriminals, particularly for users in Latin American countries and beyond. As researchers continue to monitor and analyze the evolving capabilities of this Trojan, it is crucial for individuals and organizations to remain vigilant and take proactive measures to protect their systems and data from such threats.