Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

This devious new trojan is exposing a flaw in Windows SmartScreen to drain victims bank accounts

A white padlock on a dark digital background.

Palo Alto Networks’ cybersecurity research arm Unit 42 recently discovered a new malware variant targeting users via a vulnerability in Windows SmartScreen

Mispadu is an infostealer built on Delphi, looking to extract sensitive information from victim endpoints, including banking details. 

Last year Mispadu’s operators harvested roughly 90,000 bank account credentials, The Hacker News claimss, citing Metabase Q reports.

Mispadu is after your data

Mispadu works by exploiting a flaw tracked as CVE-2023-36025. It is a high-severity bypass flaw found in Windows SmartScreen that Microsoft fixed in November last year. It has a severity score of 8.8. The hackers abuse the flaw by creating a custom .URL file, or a hyperlink, which then points to a malicious file that can work around SmartScreen’s warnings. 

SmartScreen is an anti-malware component, running from the cloud, which comes with multiple Microsoft products, from Windows 8 onward, and including Edge. 

"This exploit revolves around the creation of a specifically crafted internet shortcut file (.URL) or a hyperlink pointing to malicious files that can bypass SmartScreen's warnings," Unit 42 researchers said in their report. "The bypass is simple and relies on a parameter that references a network share, rather than a URL. The crafted .URL file contains a link to a threat actor's network share with a malicious binary."

Mispadu only targets victims in Latin America, it was added, with the newest campaign compromising mostly users in Mexico.

The malware is hardly the only variant out there abusing the SmartScreen flaw. Earlier this year, in late January, experts were warning of the Phemedrone Stealer abusing the same flaw to extract sensitive data. Researchers from Trend Micro said this malware grabbed sensitive information stored in web browsers, cryptocurrency wallets, and messaging platforms such as Telegram, Steam, and Discord. It also takes screengrabs, and siphons out data on hardware, location, and the operating system. The stolen information is then presented to the attackers via Telegram or their command-and-control (C&C) server.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.