The Mispadu banking trojan, initially focused on Latin America, has broadened its reach to Europe, employing phishing emails and malicious URLs to pilfer credentials. Despite its expansion, Mexico remains a primary target, with thousands of credentials stolen since April 2023. The infection process involves multiple stages, notably beginning with phishing emails masquerading as invoice notifications with PDF attachments, which trigger downloads of ZIP files containing the malicious payload.
Upon execution, the malware employs VB scripts, delivered through MSI or HTA files, to communicate with a command-and-control server for subsequent payloads. These scripts run in memory, conduct system checks to evade detection, and download obfuscated files that decrypt the final Mispadu payload. The injection of malicious code into legitimate Windows processes further obscures detection, as the trojan uses tools like WebBrowserPassView and MailPassView to harvest passwords from browsers and email clients.
The injected malware enables Mispadu to target over 200 services for credential theft, uploading stolen data to a command-and-control server in two parts: first, email client credentials and browser passwords, and second, a list of harvested email addresses. This stolen information may be used to orchestrate further phishing attacks. Mispadu’s evolution highlights the sophistication of modern cyber threats and the importance of robust cybersecurity measures to protect against credential theft and data breaches.
