Mispadu Stealer Detection: A New Banking Trojan Variant Targets Mexico While Exploiting CVE-2023-36025

Cybersecurity researchers recently unveiled a new variant of a stealthy info-stealing malware known as Mispadu Stealer. Adversaries behind the latest attacks against Mexican users leveraging Mispadu banking Trojan have been observed exploiting a recently fixed Windows SmartScreen vulnerability tracked as CVE-2023-36025.

Detect Mispadu Stealer 

With dozens of new malware samples emerging in the cyber domain daily, cyber defenders are searching for cutting-edge solutions to detect threats proactively. SOC Prime Platform aggregates 300K+ detection algorithms to help cyber defenders identify possible cyber attacks at the earliest stages of development, including the latest Mispadu infostealer campaign. 

Possible Mispadu Infostealer Execution by Invoking DLL Payload through WebDAV Utility (via process_creation)

The latest rule by our seasoned Threat Bounty developer Nattatorn Chuensangarun helps to detect suspicious Mispadu Infostealer activity by executing the Rundll32 command to load the DLL payload through the WebDAV client utility. The detection is compatible with 24 SIEM, EDR, XDR, and Data Lake solutions and mapped to MITRE ATT&CK framework v14 addressing the Defense Evasion tactic with System Binary Proxy Execution (T1218) as the corresponding technique. 

Also, in view that the new Mispadu campaign relies on CVE-2023-36025 to proceed with the infection process, SOC Prime users might explore the detection stack related to the vulnerability exploitation.

To explore the collection of rules associated with Mispady Stealer’s malicious activity, hit the Explore Detection button below. All rules are accompanied by extensive metadata, including ATT&CK references, CTI links, attack timelines, triage recommendations, and more.

Explore Detections

Eager to make a contribution to collective cyber defense and develop cybersecurity skills? Join our Threat Bounty Program for cyber defenders, submit your detection rules to be published in front of 33K+ security professionals, and get recurrent rewards for your contribution. 

Mispadu Stealer Analysis

Unit 42 researchers have recently uncovered a new variant of Mispadu Stealer. This Delphi-based malware focuses on regions and URLs linked to Mexico and has been discovered while searching for a recently patched security bypass vulnerability in Windows SmartScreen known as CVE-2023-36025. 

Mispadu Stealer is also part of a broader banking malware family, with the Latin America region being its primary target. The latter includes another nefarious banking Trojan known as Grandoreiro, which had long been used in attacks against Brazil, Spain, and Mexico until law enforcement in Brazil recently took measures to disrupt it. 

Mispadu commonly spreads via spam campaigns, in which recipients obtain harmful emails with a ZIP file and a fake URL within. As a multistage malware variant, the Mispadu stealer applies multiple adversary techniques that are continuously evolving and increasing in sophistication. 

SmartScreen is intended to safeguard users from untrusted sources by notifying them of potentially hazardous websites and files. However, attackers can bypass these warnings by weaponizing CVE-2023-36025. The exploit creates a URL file or a hyperlink leading to harmful files, which can evade SmartScreen’s warnings. Once clicked, the URL file redirects compromised users to the adversary network share to run the payload.

In late fall 2023, the Unit 42 team came across a similar URL file while searching attempts to bypass SmartScreen. The detected URL file stemmed from a ZIP archive that was downloaded by the Microsoft Edge browser and was intended to launch and run a malicious executable binary. Further research revealed similar payloads downloaded from the same C2 served. The C2 infrastructure and the revealed malware capabilities proved to bear striking similarities with those leveraged by a Mispadu sample detected in late spring 2023.

The exponential rise in banking malware variants targeting multiple regions and industries, along with the continuous advancement of their offensive capabilities fuel the need for proactive defense. SOC Prime’s Uncoder AI enables security engineers to advance their Detection Engineering capabilities backed by the power of augmented intelligence. Write detections against emerging and ever-changing malware faster and simpler, translate your code into multiple cybersecurity languages in an automated fashion, and simplify IOC matching to take your retrospective hunting to the next level.