Mispadu Banking Trojan
Researchers discovered a banking trojan called Mispadu, which is getting used in several spam campaigns targeting victims in Latin America – Chile, Mexico, Peru, and Portugal.
The findings, which show 90,518 credentials stolen from a total of 17,595 unique websites, includes several government websites: 105 in Chile, 431 in Mexico and 265 in Peru.
The upgraded version of the Mispadu banking Trojan comes with a new backdoor programmed using Rust that still bypasses endpoint protection tools, but the infection rate is low.
Mispadu features new techniques to facilitate infection and maintain persistence. These include fake certificates to obfuscate initial stage malware and a new .NET-based backdoor enabling screenshots of target victims, as well as the sending of phony pop-up windows to prompt them to click on specific links.
Mispadu TTP is like other banking trojans targeting the region, like Grandoreiro, Javali, and Lampion. Attack chains involving the Delphi malware leverage email messages urging recipients to open fake overdue invoices, thereby triggering a multi-stage infection process.
Modus of Operandi
- Once after the victim open the HTML attachment sent via the spam email, it verifies that the file was opened from a desktop device and then redirects to a remote server to fetch the first-stage malware.
- The RAR or ZIP archive, is designed to make use of rogue digital certificates – one which is the Mispadu malware and the other, an AutoIT installer – to decode and execute the trojan by abusing the legitimate certutil command-line utility.
The report concludes stating Organizations need to assume that sooner or later an employee will be compromised, and therefore, work on a strategy that can help to reduce the time to detect and respond to these threats while improving SOC’s monitoring, detection, and response capabilities.
This research was documented by researchers from Metabase Q
Indicators of Compromise