Go to listing page

Banking Trojan Mispadu Linked to 20 Spam Campaigns Across Latin America

Banking Trojan Mispadu Linked to 20 Spam Campaigns Across Latin America
Security researchers have uncovered a series of spam campaigns that have been targeting victims in multiple Latin American countries since August 2022. The campaigns, which have affected individuals in Chile, Mexico, Peru, and Portugal, all share a common trait. They use a banking trojan called Mispadu to steal login credentials and distribute additional malicious payloads.

Analysis of the campaigns

The attackers send a fake overdue invoice as an HTML page or a password-protected PDF file via a spam email and lure the victim into opening it.
  • Opening the attachments leads to a highly obfuscated file that validates that the file was opened from a desktop device. It, subsequently, redirects the victim to a remote server to download the first-stage malware.
  • The first stage malware is embedded with a ZIP or RAR archive which, when launched, uses rogue digital certificates to execute the malware via certutil. The code contains two fake certificates, a Mispadu variant, and an AutoIT installer.
  • WMIC is used to run the AutoIt installer that further decodes and executes the trojan.

Trojan functionalities

Mispadu gathers the list of antivirus solutions installed on the compromised host, steals Google Chrome and Microsoft Outlook credentials, and submits the collected data to its C2 servers.
  • The malware infections successfully bypass a number of security vendors, including Microsoft Defender, Avast Total Security, Cisco Secure Endpoint, F-Secure, FortiClient, Kaspersky, Malwarebytes, McAfee Anti-Virus, and AVG Antivirus.
  • It facilitates the retrieval of additional malware, the first one being an obfuscated VBS dropper that serves to download another payload from a hard-coded domain.
  • The second payload is a .NET-based remote administration tool that can run commands issued by an actor-controlled server, and the third one is a Rust-based loader that executes a PowerShell loader to run files directly from memory.
  • Furthermore, it utilizes malicious overlay screens to steal sensitive information and credentials associated with online banking portals.

Campaign statistics

According to an analysis of Mispadu’s eight C2 servers by Metabase Q researchers, 90,518 credentials were stolen from a total of 17,595 unique websites.
  • It infected a number of infected government websites in Chile (105), Mexico (431), and Peru (265).
  • Most of the websites belonged to online banking, schools, government services, social media, gaming, e-commerce, public repositories, and retail services.

Conclusion

Mispadu operators are constantly launching spam campaigns with different layers of obfuscation, new techniques, and a multi-stage infection strategy to make detection harder. Thus, users are recommended to never open links or download attachments from unverified and untrusted email sources, look for red flags, and use security solutions to prevent such threats.
Cyware Publisher

Publisher

Cyware