Tuesday, December 24, 2024
HomeCyber Security NewsMispadu Malware Exploits Windows SmartScreen Flaw to Attack Users

Mispadu Malware Exploits Windows SmartScreen Flaw to Attack Users

Published on

SIEM as a Service

A new variant of Mispadu stealer has been identified by researchers, which specifically targets victims in Mexico. This variant of Mispadu stealer utilizes the Windows SmartScreen vulnerability CVE-2023-36025, to download and execute malicious payloads on the system. 

Mispadu stealer is written in Delphi and was first identified in November 2019, targeting users in Brazil and Mexico. On further analysis, it was discovered that this stealer was distributed even before the publication of the CVE, which does not have the bypass for the patch. 

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

- Advertisement - SIEM as a Service

Mispadu Malware Exploits Windows SmartScreen

According to the reports shared with Cyber Security News, the Windows SmartScreen feature is designed to pop up a warning to users to protect them against visiting harmful websites. However, the feature can be bypassed by a specially crafted URL file.

Windows SmartScreen Feature (Source: Unit 42)
Windows SmartScreen Feature (Source: Unit 42)

This URL file or a hyperlink will contain a link to the attackers’ network share for downloading a binary from a harmful website, which bypasses the Windows SmartScreen warning by abusing a parameter that refers to a network share instead of a URL.

Attack Vector Analysis

Once the malware is downloaded and executed on the victim system, it initially gathers information about the time zone and UTC for checking if the system belongs to a specific timezone by calculating the GMT. Upon analysis, the malware only executes in certain regions of Western Europe and within most parts of the Americas.

The malware uses the AES encryption algorithm for several decryptions through the bcrypt.dll library. Additionally, it identifies the %TEMP% directory for storing certain files that will be used during the malware execution.

For establishing C2 communication, the malware performs either an HTTP or HTTPS GET request, depending upon the version of Microsoft Windows running on the system.

Once the C2 communication is established, the malware uses SQLite to gather history databases from Microsoft Edge and Google Chrome browsers and stores them in the %TEMP% directory. After this, the malware extracts the URLs on certain conditions and checks them against a targeted list. 

All the targeted URLs will have the (.) changed to (,), grouped, and hashed to prevent brute-forcing the algorithm. All this information is then sent to the C2 and could be used for further cybercriminal activities.

Unit 42 which provides detailed information about the source code, malware analysis, and other information. 

Indicators of Compromise

File Indicators

  • 8e1d354dccc3c689899dc4e75fdbdd0ab076ac457de7fb83645fb735a46ad4ea
  • bc25f7836c273763827e1680856ec6d53bd73bbc4a03e9f743eddfc53cf68789
  • fb3995289bac897e881141e281c18c606a772a53356cc81caf38e5c6296641d4
  • 46d20fa82c936c5784f86106838697ab79a1f6dc243ae6721b42f0da467eaf52
  • 03bdae4d40d3eb2db3c12d27b76ee170c4813f616fec5257cf25a068c46ba15f
  • 1b7dc569508387401f1c5d40eb448dc20d6fb794e97ae3d1da43b571ed0486a0
  • e136717630164116c2b68de31a439231dc468ddcbee9f74cca511df1036a22ea

Network Indicators

  • plinqok[.]com
  • trilivok[.]com
  • xalticainvest[.]com
  • moscovatech[.]com
  • hxxp://trilivok[.]com/4g3031ar0/cb6y1dh/it.php
  • hxxps://plinqok[.]com/3dzy14ebg/buhumo0/it.php
  • 24.199.98[.]128/expediente38/8869881268/8594605066.exe
  • 24.199.98[.]128/verificacion58/6504926283/3072491614.exe
  • 24.199.98[.]128/impresion73/5464893028/8024251449.exe

Follow us on LinkedIn for the latest cybersecurity news, whitepapers, infographics, and more. Stay informed and up-to-date with the latest trends in cybersecurity.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...