The Mispadu banking Trojan has emerged as the latest threat targeting users in Mexico, exploiting a previously patched Windows SmartScreen security bypass flaw. This new variant of the malware, first identified in 2019, employs phishing emails for propagation, specifically targeting victims in the Latin American region. Palo Alto Networks Unit 42, in a recent report, reveals that Mispadu has been distributed through rogue internet shortcut files contained within deceptive ZIP archives, taking advantage of the now-resolved Windows SmartScreen flaw (CVE-2023-36025). Despite its detection and patching by Microsoft in November 2023, threat actors continue to use the exploit to compromise users.
Mispadu, known for its Delphi-based information-stealing capabilities, selectively targets victims based on geographic location and system configurations. The malware, once launched, establishes contact with a command-and-control server for subsequent data exfiltration. Notably, Mispadu is part of the larger family of Latin American (LATAM) banking malware, sharing connections with Grandoreiro, a malware dismantled by Brazilian law enforcement authorities recently. Mexico has witnessed a surge in cyber threats, with various campaigns deploying information stealers and remote access trojans, reinforcing the financially-motivated group TA558’s sustained attacks on the hospitality and travel sectors in the LATAM region since 2018.
The exploitation of the Windows SmartScreen flaw by multiple cybercrime groups in recent months, delivering malware like DarkGate and Phemedrone Stealer, underscores the persistent security challenges. Additionally, the disclosure of DICELOADER’s inner workings, a custom downloader used by the Russian e-crime group FIN7, and AhnLab’s discovery of new malicious cryptocurrency mining campaigns further highlight the evolving and diverse nature of cybersecurity threats in the current landscape. The report provides valuable insights into the tactics employed by threat actors, emphasizing the need for continuous vigilance and proactive cybersecurity measures to protect against sophisticated attacks.