Friday, May 24, 2024

Mispadu Malware Exploits Windows SmartScreen Flaw to Attack Users

A new variant of Mispadu stealer has been identified by researchers, which specifically targets victims in Mexico. This variant of Mispadu stealer utilizes the Windows SmartScreen vulnerability CVE-2023-36025, to download and execute malicious payloads on the system. 

Mispadu stealer is written in Delphi and was first identified in November 2019, targeting users in Brazil and Mexico. On further analysis, it was discovered that this stealer was distributed even before the publication of the CVE, which does not have the bypass for the patch. 

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Mispadu Malware Exploits Windows SmartScreen

According to the reports shared with Cyber Security News, the Windows SmartScreen feature is designed to pop up a warning to users to protect them against visiting harmful websites. However, the feature can be bypassed by a specially crafted URL file.

Windows SmartScreen Feature (Source: Unit 42)
Windows SmartScreen Feature (Source: Unit 42)

This URL file or a hyperlink will contain a link to the attackers’ network share for downloading a binary from a harmful website, which bypasses the Windows SmartScreen warning by abusing a parameter that refers to a network share instead of a URL.

Attack Vector Analysis

Once the malware is downloaded and executed on the victim system, it initially gathers information about the time zone and UTC for checking if the system belongs to a specific timezone by calculating the GMT. Upon analysis, the malware only executes in certain regions of Western Europe and within most parts of the Americas.

The malware uses the AES encryption algorithm for several decryptions through the bcrypt.dll library. Additionally, it identifies the %TEMP% directory for storing certain files that will be used during the malware execution.

For establishing C2 communication, the malware performs either an HTTP or HTTPS GET request, depending upon the version of Microsoft Windows running on the system.

Once the C2 communication is established, the malware uses SQLite to gather history databases from Microsoft Edge and Google Chrome browsers and stores them in the %TEMP% directory. After this, the malware extracts the URLs on certain conditions and checks them against a targeted list. 

All the targeted URLs will have the (.) changed to (,), grouped, and hashed to prevent brute-forcing the algorithm. All this information is then sent to the C2 and could be used for further cybercriminal activities.

Unit 42 which provides detailed information about the source code, malware analysis, and other information. 

Indicators of Compromise

File Indicators

  • 8e1d354dccc3c689899dc4e75fdbdd0ab076ac457de7fb83645fb735a46ad4ea
  • bc25f7836c273763827e1680856ec6d53bd73bbc4a03e9f743eddfc53cf68789
  • fb3995289bac897e881141e281c18c606a772a53356cc81caf38e5c6296641d4
  • 46d20fa82c936c5784f86106838697ab79a1f6dc243ae6721b42f0da467eaf52
  • 03bdae4d40d3eb2db3c12d27b76ee170c4813f616fec5257cf25a068c46ba15f
  • 1b7dc569508387401f1c5d40eb448dc20d6fb794e97ae3d1da43b571ed0486a0
  • e136717630164116c2b68de31a439231dc468ddcbee9f74cca511df1036a22ea

Network Indicators

  • plinqok[.]com
  • trilivok[.]com
  • xalticainvest[.]com
  • moscovatech[.]com
  • hxxp://trilivok[.]com/4g3031ar0/cb6y1dh/it.php
  • hxxps://plinqok[.]com/3dzy14ebg/buhumo0/it.php
  • 24.199.98[.]128/expediente38/8869881268/8594605066.exe
  • 24.199.98[.]128/verificacion58/6504926283/3072491614.exe
  • 24.199.98[.]128/impresion73/5464893028/8024251449.exe

Follow us on LinkedIn for the latest cybersecurity news, whitepapers, infographics, and more. Stay informed and up-to-date with the latest trends in cybersecurity.


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles