Twenty different spam campaigns were discovered that relied on the Mispadu banking Trojan, targeting victims in Chile, Mexico, Peru and Portugal.
The findings, showing 90,518 credentials stolen from a total of 17,595 unique websites, come from the Ocelot team at Latin American cybersecurity firm Metabase Q.
These included numerous government websites. 105 in Chile, 431 in Mexico and 265 in Peru.
Metabase Q security researchers Fernando Garcia and Dan Regalado wrote:
According to a recently published advisory, Mispadu has new techniques to facilitate infection and maintain persistence. These include fake certificates to obfuscate early-stage malware, new .NET-based backdoors that allow screenshots of targeted victims, and fake pop-ups urging users to click on specific links. Includes window submission.
Additionally, the upgraded version of the Mispadu banking Trojan comes with a new backdoor programmed using Rust, which according to Metabase Q is still poorly handled by endpoint protection tools.
Learn more about Rust here: Agenda Ransomware Switches to Rust to Attack Critical Infrastructure
“While the Mispadu campaign was able to compromise thousands of users, the infection rate among corporate users (usually a combination of antivirus and EDR/XDR) is still very low,” Garcia and Regalado said. clarified.
“However, organizations must expect their employees to be at risk sooner or later, so they must work on strategies to detect and improve upon these threats to reduce the time to respond. [the] SOC monitoring, detection, and response capabilities. ”
Another backdoor recently used to target victims in Latin America is DTrack, reportedly deployed by the North Korean Lazarus group.
