Thursday, November 14, 2024
HomeCyber Security NewsMispadu Malware Exploits Windows SmartScreen Flaw to Attack Users

Mispadu Malware Exploits Windows SmartScreen Flaw to Attack Users

Published on

A new variant of Mispadu stealer has been identified by researchers, which specifically targets victims in Mexico. This variant of Mispadu stealer utilizes the Windows SmartScreen vulnerability CVE-2023-36025, to download and execute malicious payloads on the system. 

Mispadu stealer is written in Delphi and was first identified in November 2019, targeting users in Brazil and Mexico. On further analysis, it was discovered that this stealer was distributed even before the publication of the CVE, which does not have the bypass for the patch. 

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

- Advertisement - SIEM as a Service

Mispadu Malware Exploits Windows SmartScreen

According to the reports shared with Cyber Security News, the Windows SmartScreen feature is designed to pop up a warning to users to protect them against visiting harmful websites. However, the feature can be bypassed by a specially crafted URL file.

Windows SmartScreen Feature (Source: Unit 42)
Windows SmartScreen Feature (Source: Unit 42)

This URL file or a hyperlink will contain a link to the attackers’ network share for downloading a binary from a harmful website, which bypasses the Windows SmartScreen warning by abusing a parameter that refers to a network share instead of a URL.

Attack Vector Analysis

Once the malware is downloaded and executed on the victim system, it initially gathers information about the time zone and UTC for checking if the system belongs to a specific timezone by calculating the GMT. Upon analysis, the malware only executes in certain regions of Western Europe and within most parts of the Americas.

The malware uses the AES encryption algorithm for several decryptions through the bcrypt.dll library. Additionally, it identifies the %TEMP% directory for storing certain files that will be used during the malware execution.

For establishing C2 communication, the malware performs either an HTTP or HTTPS GET request, depending upon the version of Microsoft Windows running on the system.

Once the C2 communication is established, the malware uses SQLite to gather history databases from Microsoft Edge and Google Chrome browsers and stores them in the %TEMP% directory. After this, the malware extracts the URLs on certain conditions and checks them against a targeted list. 

All the targeted URLs will have the (.) changed to (,), grouped, and hashed to prevent brute-forcing the algorithm. All this information is then sent to the C2 and could be used for further cybercriminal activities.

Unit 42 which provides detailed information about the source code, malware analysis, and other information. 

Indicators of Compromise

File Indicators

  • 8e1d354dccc3c689899dc4e75fdbdd0ab076ac457de7fb83645fb735a46ad4ea
  • bc25f7836c273763827e1680856ec6d53bd73bbc4a03e9f743eddfc53cf68789
  • fb3995289bac897e881141e281c18c606a772a53356cc81caf38e5c6296641d4
  • 46d20fa82c936c5784f86106838697ab79a1f6dc243ae6721b42f0da467eaf52
  • 03bdae4d40d3eb2db3c12d27b76ee170c4813f616fec5257cf25a068c46ba15f
  • 1b7dc569508387401f1c5d40eb448dc20d6fb794e97ae3d1da43b571ed0486a0
  • e136717630164116c2b68de31a439231dc468ddcbee9f74cca511df1036a22ea

Network Indicators

  • plinqok[.]com
  • trilivok[.]com
  • xalticainvest[.]com
  • moscovatech[.]com
  • hxxp://trilivok[.]com/4g3031ar0/cb6y1dh/it.php
  • hxxps://plinqok[.]com/3dzy14ebg/buhumo0/it.php
  • 24.199.98[.]128/expediente38/8869881268/8594605066.exe
  • 24.199.98[.]128/verificacion58/6504926283/3072491614.exe
  • 24.199.98[.]128/impresion73/5464893028/8024251449.exe

Follow us on LinkedIn for the latest cybersecurity news, whitepapers, infographics, and more. Stay informed and up-to-date with the latest trends in cybersecurity.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Google Unveils New Intelligent, Real-Time Protections for Android Users

Google has once again raised the bar for mobile security by introducing two new...

Chinese National Faces 20 Years of Jail Time for Laundering Millions in Crypto

Daren Li, 41, a dual citizen of China and St. Kitts and Nevis, and...

Google to Issue CVEs for Critical Cloud Vulnerabilities

Google Cloud has announced a significant step forward in its commitment to transparency and...

GitLab Patches Critical Flaws Leads to Unauthorized Access to Kubernetes Cluster

GitLab has rolled out critical security updates to address multiple vulnerabilities in its Community...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Google Unveils New Intelligent, Real-Time Protections for Android Users

Google has once again raised the bar for mobile security by introducing two new...

Chinese National Faces 20 Years of Jail Time for Laundering Millions in Crypto

Daren Li, 41, a dual citizen of China and St. Kitts and Nevis, and...

Google to Issue CVEs for Critical Cloud Vulnerabilities

Google Cloud has announced a significant step forward in its commitment to transparency and...