Mispadu Stealer, a banking Trojan first reported in November 2019, has been observed exploiting the Windows SmartScreen bypass vulnerability, CVE-2023-36025. This variant of Mispadu spreads through phishing emails and primarily affects victims in Latin America. The malware is part of the larger family of LATAM banking malware, including Grandoreiro.
CVE-2023-36025 is a vulnerability in Windows SmartScreen which allows attackers to bypass warnings by creating a specially crafted .url file or hyperlink that references a network share rather than a URL.
Mispadu Stealer, a banking Trojan first reported in November 2019, has been observed exploiting CVE-2023-36025. This malware, written in Delphi, initially targeted victims in Brazil and Mexico. The exploit involves creating a specially crafted internet shortcut file or hyperlink pointing to malicious files, bypassing SmartScreen warnings. Once launched, Mispadu selectively targets victims based on geographic location and system configurations, establishing contact with a command-and-control server for data exfiltration.
In a November 2023 incident, a .url file was discovered executing a command to retrieve and execute a malicious binary. The file was contained in a .zip archive downloaded by the Microsoft Edge browser. The use of UNC paths in .url files prompts the system to leverage protocols based on network shares, with the ability to use WebDAV over HTTP if specified in the UNC path.
The investigation revealed a connection to the Mispadu Stealer, indicating an evolution in techniques. Attribution was made to a Mispadu AutoIt sample from May 2023, with similarities to another Mexican infostealer campaign. Mispadu Stealer, identified in 2019, targets Spanish- and Portuguese-speaking victims through spam campaigns with malicious emails containing deceptive .zip files.