A new variant of Mispadu stealer has been identified by researchers, which specifically targets victims in Mexico. This variant of Mispadu stealer utilizes the Windows SmartScreen vulnerability CVE-2023-36025 , to download and execute malicious payloads on the system.
Mispadu stealer is written in Delphi and was first identified in November 2019, targeting users in Brazil and Mexico. On further analysis, it was discovered that this stealer was distributed even before the publication of the CVE, which does not have the bypass for the patch.
Document
@import url('https://fonts.googleapis.com/css2?family=Poppins&display=swap');
@import url('https://fonts.googleapis.com/css2?family=Poppins&family=Roboto&display=swap');
*{
margin: 0; padding: 0;
text-decoration: none;
}
.container{
font-family: roboto, sans-serif;
width: 90%;
border: 1px solid lightgrey;
padding: 20px;
background: linear-gradient(2deg,#E0EAF1 100%,#BBD2E0 100%);
margin: 20px auto ;
border-radius: 40px 10px;
box-shadow: 5px 5px 5px #e2ebff;
}
.container:hover{
box-shadow: 10px 10px 5px #e2ebff;
}
.container .title{
color: #015689;
font-size: 22px;
font-weight: bolder;
}
.container .title{
text-shadow: 1px 1px 1px lightgrey;
}
.container .title:after {
width: 50px;
height: 2px;
content: ' ';
position: absolute;
background-color: #015689;
margin: 20px 8px;
}
.container h2{
line-height: 40px;
margin: 2px 0;
font-weight: bolder;
}
.container a{
color: #170d51;
}
.container p{
font-size: 18px;
line-height: 30px;
}
.container button{
padding: 15px;
background-color: #4469f5;
border-radius: 10px;
border: none;
background-color: #00456e ;
font-size: 16px;
font-weight: bold;
margin-top: 5px;
}
.container button:hover{
box-shadow: 1px 1px 15px #015689;
transition: all 0.2S linear;
}
.container button a{
color: white;
}
hr{
/ display: none; /
}
Run Free ThreatScan on Your Mailbox
AI-Powered Protection for Business Email Security
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Run Free Threat Scan
Mispadu Malware Exploits Windows SmartScreen
According to the reports shared with Cyber Security News, the Windows SmartScreen feature is designed to pop up a warning to users to protect them against visiting harmful websites. However, the feature can be bypassed by a specially crafted URL file.
Windows SmartScreen Feature (Source: Unit 42) This URL file or a hyperlink will contain a link to the attackers’ network share for downloading a binary from a harmful website, which bypasses the Windows SmartScreen warning by abusing a parameter that refers to a network share instead of a URL.
Attack Vector Analysis
Once the malware is downloaded and executed on the victim system, it initially gathers information about the time zone and UTC for checking if the system belongs to a specific timezone by calculating the GMT. Upon analysis, the malware only executes in certain regions of Western Europe and within most parts of the Americas.
The malware uses the AES encryption algorithm for several decryptions through the bcrypt.dll library. Additionally, it identifies the %TEMP% directory for storing certain files that will be used during the malware execution.
For establishing C2 communication, the malware performs either an HTTP or HTTPS GET request, depending upon the version of Microsoft Windows running on the system.
Once the C2 communication is established, the malware uses SQLite to gather history databases from Microsoft Edge and Google Chrome browsers and stores them in the %TEMP% directory. After this, the malware extracts the URLs on certain conditions and checks them against a targeted list.
All the targeted URLs will have the (.) changed to (,), grouped, and hashed to prevent brute-forcing the algorithm. All this information is then sent to the C2 and could be used for further cybercriminal activities.
Unit 42 which provides detailed information about the source code, malware analysis, and other information.
Indicators of Compromise
File Indicators
8e1d354dccc3c689899dc4e75fdbdd0ab076ac457de7fb83645fb735a46ad4ea
bc25f7836c273763827e1680856ec6d53bd73bbc4a03e9f743eddfc53cf68789
fb3995289bac897e881141e281c18c606a772a53356cc81caf38e5c6296641d4
46d20fa82c936c5784f86106838697ab79a1f6dc243ae6721b42f0da467eaf52
03bdae4d40d3eb2db3c12d27b76ee170c4813f616fec5257cf25a068c46ba15f
1b7dc569508387401f1c5d40eb448dc20d6fb794e97ae3d1da43b571ed0486a0
e136717630164116c2b68de31a439231dc468ddcbee9f74cca511df1036a22ea
Network Indicators
plinqok[.]com
trilivok[.]com
xalticainvest[.]com
moscovatech[.]com
hxxp://trilivok[.]com/4g3031ar0/cb6y1dh/it.php
hxxps://plinqok[.]com/3dzy14ebg/buhumo0/it.php
24.199.98[.]128/expediente38/8869881268/8594605066.exe
24.199.98[.]128/verificacion58/6504926283/3072491614.exe
24.199.98[.]128/impresion73/5464893028/8024251449.exe
Follow us on LinkedIn for the latest cybersecurity news, whitepapers, infographics, and more. Stay informed and up-to-date with the latest trends in cybersecurity.
The post Mispadu Malware Exploits Windows SmartScreen Flaw to Attack Users appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform .
