A banking Trojan called Mispadu is involved in several spam campaigns targeting Bolivia, Chile, Mexico, Peru and Portugal with the aim of stealing user data and delivering other payloads.
The operation, which began in August 2022, is currently underway, Latin American cybersecurity company Metabase said in a report shared with Q Ocelot Team Hacker News.
Mispadu (aka URSA) was first documented by ESET in November 2019, describing its ability to perform financial and credentialing and act as a backdoor by taking screenshots and recording keystrokes.
"One of their main strategies is to compromise legitimate websites, look for vulnerable versions of WordPress, turn them into their command and control servers to spread malware from there, filter out countries they don't want to infect, and drop different malware to the infected country. ", said researchers Fernando GarcÃa and Dan Regalado.
It is also said to share similarities with other banking Trojans targeting the region, such as Grandoreiro, Javali and Lampion. Attack chains containing the Delphi malware use email messages that trick recipients into opening fake overdue invoices, which initiates a multi-step infection process.
When a victim opens a spammed HTML attachment, it verifies that the file was opened from a desktop device and then directs the remote server to fetch the first-level malware.
The RAR or ZIP archive is designed at launch to use fake digital certificates - one from the Mispadu malware and the other from the AutoIT installer - to extract and run the Trojan by abusing the legitimate certutil command line.
Mispadu is equipped to collect a list of antivirus solutions installed on a compromised host, extract credentials from Google Chrome and Microsoft Outlook, and facilitate the acquisition of additional malware.
It includes an obscure Visual Basic Script dropper that downloads another payload from a hard-coded domain, a .NET-based remote access tool that can execute commands issued by an operator-controlled server, and a downloader written in Rust that in turn runs a PowerShell loader. run files directly from memory. In addition, the malware uses malicious cover boxes to obtain credentials and other sensitive information related to online banking portals.
Metabase Q noted that certutil's approach allowed Mispadu to bypass multiple security software detections and collect more than 90,000 bank account credentials from more than 17,500 unique websites.