Contents:
Multiple spam campaigns targeting Bolivia, Chile, Mexico, Peru, and Portugal have been linked to a banking trojan called Mispadu that steals credentials and delivers other malicious payloads. Mispadu (aka URSA) can steal money, credentials, and act as a backdoor by taking screenshots and capturing keystrokes.
In a report, Ocelot Team from Latin American cybersecurity firm Metabase Q said the activity began in August 2022.
One of their main strategies is to compromise legitimate websites, searching for vulnerable versions of WordPress, to turn them into their command-and-control server to spread malware from there, filtering out countries they do not wish to infect, dropping different type of malware based on the country being infected.
Mispadu – Upon a Closer Look
Mispadu is a malware family that, according to researchers, targets mainly financial entities in Brazil and Mexico. As well as sharing similarities with other banking trojans targeting the region, it has also been observed to be similar to Grandoreiro, Javali, and Lampion. The Delphi-based malware is used in attack chains that entice recipients to open fake overdue invoices, triggering a multi-stage infection process.
When a victim opens the HTML attachment in the spam email, the malware verifies that the file was opened from a desktop computer, then redirects to a remote server to download the first-stage malware.
Initial HTML file loaded by the victim – Source
By abusing the legitimate certutil command-line utility, the RAR or ZIP archive uses rogue digital certificates to decode and execute the trojan, one of them being the Mispadu malware and the other an AutoIT installer.
Mispadu is capable of gathering the list of antivirus solutions installed on the compromised host, siphoning credentials from Google Chrome and Microsoft Outlook, and facilitating the retrieval of additional malware.
As per THN, this includes an obfuscated Visual Basic Script dropper that serves to download another payload from a hard-coded domain, a .NET-based remote access tool that can run commands issued by an actor-controlled server, and a loader written in Rust that, in turn, executes a PowerShell loader to run files directly from memory.
Using malicious overlay screens, the malware obtains credentials for online banking portals and other sensitive information.
Further, researchers noted that the certutil approach has allowed Mispadu to bypass detection by a wide range of security software and harvest over 90,000 bank account credentials from over 17,500 unique websites.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.