A new variant of the Mispadu banking Trojan has been found exploiting a Windows SmartScreen security bypass flaw, according to researchers from Palo Alto Networks Unit 42.

Mispadu is a Delphi-based information stealer that targets users in Brazil and Mexico. It is distributed through phishing emails that lure victims into downloading malicious ZIP files. The ZIP files contain rogue internet shortcut files that execute PowerShell commands to download and run the Mispadu payload.

The new variant of Mispadu leverages a vulnerability in Windows SmartScreen, a feature that warns users about potentially harmful files or websites. The vulnerability, CVE-2023-36025, allows attackers to bypass the SmartScreen warning using a specially crafted URL. This increases the chances of users running the malicious files without suspicion.

The Mispadu banking Trojan can steal infected users' banking credentials, credit card information, and personal data. It also displays fake pop-up windows that mimic legitimate banking websites, asking users to enter their account details. The researchers estimate that Mispadu has harvested over 90,000 bank account credentials since August 2022.

Microsoft patched the SmartScreen vulnerability in November 2023, but users who need to update their systems are still vulnerable to Mispadu attacks. The researchers advise users to be wary of unsolicited emails and to verify the source and content of any files or links they receive. They also recommend using antivirus software and keeping their systems up to date.