Banking Trojan called Mispadu It has been linked to multiple spam campaigns targeting countries such as Bolivia, Chile, Mexico, Peru, and Portugal with the goal of stealing credentials and delivering other payloads.
The operation, which began in August 2022, is ongoing, the Ocelot team at Latin American cybersecurity firm Metabase Q said in a report shared with The Hacker News.
Mispadu (aka URSA) was first documented by ESET in November 2019, describing its ability to perform money and credential theft and act as a backdoor by taking screenshots and capturing keystrokes. doing.
“One of their main strategies is to compromise legitimate websites, search for vulnerable versions of WordPress, turn them into command-and-control servers, from which they spread malware, and infect countries they don’t want to infect. and drop different types of websites, malware based on the country they are infected with,” say researchers Fernando García and Dan Regalado.
It is also said to have similarities to other banking Trojans targeting this region, such as Grandoreiro, Javali and Lampion. An attack chain involving Delphi malware utilizes email messages to entice recipients to open fake overdue invoices, thereby triggering a multi-step infection process.
When the victim opens the HTML attachment sent in the spam email, the file is verified as being opened from a desktop device and redirected to a remote server to retrieve the first stage malware.
Once the RAR or ZIP archive is launched, it leverages fraudulent digital certificates (one from the Mispadu malware, the other from the AutoIT installer) to decode and decrypt the Trojan using the legitimate certutil command-line utility. designed to run.
Mispadu has the ability to gather a list of antivirus solutions installed on compromised hosts, siphon credentials from Google Chrome and Microsoft Outlook, and facilitate the acquisition of additional malware.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
This includes an obfuscated Visual Basic Script dropper that functions to download another payload from a hardcoded domain, a .NET-based remote that can execute commands issued by an attacker-controlled server. Includes an access tool and a loader written in Rust. Then run the PowerShell loader to run the file directly from memory.
Additionally, the malware utilizes malicious overlay screens to obtain credentials and other sensitive information associated with online banking portals.
Metabase Q noted that the certutil approach allowed Mispadu to evade detection by various security software and harvest over 90,000 bank account credentials from over 17,500 unique websites.
