A new variant of Mispadu stealer has been identified by researchers, which specifically targets victims in Mexico. This variant of Mispadu stealer utilizes the Windows SmartScreen vulnerability CVE-2023-36025, to download and execute malicious payloads on the system.
Mispadu stealer is written in Delphi and was first identified in November 2019, targeting users in Brazil and Mexico. On further analysis, it was discovered that this stealer was distributed even before the publication of the CVE, which does not have the bypass for the patch.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Mispadu Malware Exploits Windows SmartScreen
According to the reports shared with Cyber Security News, the Windows SmartScreen feature is designed to pop up a warning to users to protect them against visiting harmful websites. However, the feature can be bypassed by a specially crafted URL file.
This URL file or a hyperlink will contain a link to the attackers’ network share for downloading a binary from a harmful website, which bypasses the Windows SmartScreen warning by abusing a parameter that refers to a network share instead of a URL.
Attack Vector Analysis
Once the malware is downloaded and executed on the victim system, it initially gathers information about the time zone and UTC for checking if the system belongs to a specific timezone by calculating the GMT. Upon analysis, the malware only executes in certain regions of Western Europe and within most parts of the Americas.
The malware uses the AES encryption algorithm for several decryptions through the bcrypt.dll library. Additionally, it identifies the %TEMP% directory for storing certain files that will be used during the malware execution.
For establishing C2 communication, the malware performs either an HTTP or HTTPS GET request, depending upon the version of Microsoft Windows running on the system.
Once the C2 communication is established, the malware uses SQLite to gather history databases from Microsoft Edge and Google Chrome browsers and stores them in the %TEMP% directory. After this, the malware extracts the URLs on certain conditions and checks them against a targeted list.
All the targeted URLs will have the (.) changed to (,), grouped, and hashed to prevent brute-forcing the algorithm. All this information is then sent to the C2 and could be used for further cybercriminal activities.
Unit 42 which provides detailed information about the source code, malware analysis, and other information.
Indicators of Compromise
File Indicators
- 8e1d354dccc3c689899dc4e75fdbdd0ab076ac457de7fb83645fb735a46ad4ea
- bc25f7836c273763827e1680856ec6d53bd73bbc4a03e9f743eddfc53cf68789
- fb3995289bac897e881141e281c18c606a772a53356cc81caf38e5c6296641d4
- 46d20fa82c936c5784f86106838697ab79a1f6dc243ae6721b42f0da467eaf52
- 03bdae4d40d3eb2db3c12d27b76ee170c4813f616fec5257cf25a068c46ba15f
- 1b7dc569508387401f1c5d40eb448dc20d6fb794e97ae3d1da43b571ed0486a0
- e136717630164116c2b68de31a439231dc468ddcbee9f74cca511df1036a22ea
Network Indicators
- plinqok[.]com
- trilivok[.]com
- xalticainvest[.]com
- moscovatech[.]com
- hxxp://trilivok[.]com/4g3031ar0/cb6y1dh/it.php
- hxxps://plinqok[.]com/3dzy14ebg/buhumo0/it.php
- 24.199.98[.]128/expediente38/8869881268/8594605066.exe
- 24.199.98[.]128/verificacion58/6504926283/3072491614.exe
- 24.199.98[.]128/impresion73/5464893028/8024251449.exe
Follow us on LinkedIn for the latest cybersecurity news, whitepapers, infographics, and more. Stay informed and up-to-date with the latest trends in cybersecurity.