This devious new trojan is exposing a flaw in Windows SmartScreen to drain victims bank accounts

Windows SmartScreen flaw was patched, but many users could still be at risk

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Palo Alto Networks’ cybersecurity researcharmUnit 42 recently discovered a newmalwarevariant targeting users via a vulnerability in Windows SmartScreen

Mispadu is an infostealer built on Delphi, looking to extract sensitive information from victim endpoints, including banking details.

Last year Mispadu’s operators harvested roughly 90,000 bank account credentials,The Hacker Newsclaimss, citing Metabase Q reports.

Mispadu is after your data

Mispadu works by exploiting a flaw tracked as CVE-2023-36025. It is a high-severity bypass flaw found in Windows SmartScreen thatMicrosoftfixed in November last year. It has a severity score of 8.8. The hackers abuse the flaw by creating a custom .URL file, or a hyperlink, which then points to a malicious file that can work around SmartScreen’s warnings.

SmartScreen is an anti-malware component, running from the cloud, which comes with multiple Microsoft products, fromWindows 8onward, and including Edge.

“This exploit revolves around the creation of a specifically crafted internet shortcut file (.URL) or a hyperlink pointing to malicious files that can bypass SmartScreen’s warnings,” Unit 42 researchers said in their report. “The bypass is simple and relies on a parameter that references a network share, rather than a URL. The crafted .URL file contains a link to a threat actor’s network share with a malicious binary.”

Mispadu only targets victims in Latin America, it was added, with the newest campaign compromising mostly users in Mexico.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The malware is hardly the only variant out there abusing the SmartScreen flaw. Earlier this year, in late January, experts were warning of the Phemedrone Stealer abusing the same flaw to extract sensitive data. Researchers from Trend Micro said this malware grabbed sensitive information stored in web browsers, cryptocurrency wallets, and messaging platforms such as Telegram,Steam, and Discord. It also takes screengrabs, and siphons out data on hardware, location, and theoperating system. The stolen information is then presented to the attackers via Telegram or their command-and-control (C&C) server.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Lego will let you build Sir Ernest Shackleton’s iconic lost ship, the Endurance, in its next Icons set