Mispadu | |
Additional Names | URSA |
Type of Malware | Banking Trojan |
Country of Origin | Latin America |
Date of initial activity | 2019 |
Associated Groups | Malteiro |
Targeted Countries | Bolivia, Chile, Mexico, Argentina, Ecuador, Peru, Colombia, Paraguay, Costa Rica, Brazil, Spain, Italy, and Portugal |
Motivation | Its main goals are monetary and credential theft |
Attack vectors | Mispadu employs two distribution methods: spam and malvertising |
Targeted systems | Windows |
Overview
According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. In Brazil, ESET has seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system.
Targets
General public.
Techniques Used
The Mispadu banking trojan, crafted in Delphi, employs deceptive pop-up windows to trick victims into sharing sensitive data. Beyond this, Mispadu’s backdoor functionality enables it to capture screenshots, mimic mouse and keyboard inputs, and record keystrokes. Notably, the trojan can self-update via a downloaded and executed Visual Basic Script (VBS) file.
As with the other Latin American banking trojans, Mispadu also collects information about its victims, namely:
- OS version
- computer name
- language ID
- whether Diebold Warsaw GAS Tecnologia (an application, popular in Brazil, to protect access to online banking) is installed
- list of installed common Latin American banking applications
- list of installed security products
Identifiable by its proprietary cryptographic algorithm, Mispadu encrypts strings within its code, including configuration files and command-and-control (C&C) communications. This unique feature serves as a hallmark across all its components, enhancing its stealth and persistence.
The banking trojan executable comes with four potentially unwanted applications stored in its resource section. These applications are all otherwise legitimate files from Nirsoft, but have been patched to run from the command line with no GUI. They are used by the malware to extract stored credentials from:
- browsers (Google Chrome, Mozilla Firefox, Internet Explorer), and
- email clients (Microsoft Outlook, Mozilla Thunderbird, and Windows Live Mail, among others).
Mispadu also monitors the content of the clipboard and tries to replace potential bitcoin wallets with its own.
The threat actor deployed sponsored ads on Facebook, directing users to a counterfeit website upon clicking. Irrespective of the operating system, visitors are prompted to download a ZIP file via a button click, which contains an MSI installer.
This installer triggers a series of Visual Basic Scripts (VBS scripts) culminating in a loader, verifying the target’s location and initiating the setup of configuration files, connection to a command-and-control (C2) server, and downloading the banking trojan.
Utilizing the Russian service Yandex.Mail, threat actors store malicious payloads, likely sending themselves an email with the malicious coupon as an attachment. Subsequently, they redirect potential victims to a direct link to this attachment, facilitating the dissemination of the trojan.
MITRE ATT&CK techniques used by Mispadu
Initial Access
- Spearphishing Link(T1192): In Mispadu spam campaigns, the victim is led to the payload by a malicious link.
Execution
- Rundll32 (T1085): Mispadu banking trojan is executed by an injector that is run via rundll32.exe.
Persistence
- Browser Extensions (T1176): Mispadu variant targeting Brazil utilizes a Google Chrome browser extension.
- Registry Run Keys / Startup Folder (T1060): Mispadu ensures persistence by creating a link in the startup folder.
Defense Evasion
- Deobfuscate/Decode Files or Information (T1140): Mispadu uses encoded configuration files.
- Masquerading (T1036): Mispadu masquerades as a discount coupon.
- Scripting (T1064): Mispadu utilizes VBS exclusively in its distribution chains.
Credential Access
- Input Capture (T1056): Mispadu may execute a keylogger. Its Google Chrome extension tries to steal various sensitive information via input capturing.
- Credentials in Files (T1081): Mispadu uses other tools to extract credentials for email clients and web browsers from files.
- Credentials in Registry (T1214): Mispadu uses other tools to extract credentials for email clients and web browsers from the Windows Registry.
Discovery
- File and Directory Discovery (T1083): Mispadu searches for various filesystem paths in order to determine what applications are installed on the victim’s machine.
- Process Discovery (T1057): Mispadu searches for various process names in order to determine what applications are running on the victim’s machine.
- Security Software Discovery (T1063): Mispadu scans the system for installed security software.
- System Information Discovery (T1082): Mispadu extracts the version of the operating system, computer name and language ID.
Collection
- Clipboard Data (T115): Mispadu captures and replaces bitcoin wallets in the clipboard.
- Screen Capture (T113): Mispadu contains a command to take screenshots.
Command and Control
- Custom Cryptographic Protocol (T1024): Mispadu uses a custom cryptographic protocol to protect its data.
Exfiltration
- Exfiltration Over Command and Control Channel (T1041): Mispadu sends the data it collects to its C&C server.
Significant Malware Campaigns
- Fake discount coupons for McDonald’s on Facebook (November 2019)
- The emergent URSA trojan impacts many countries (September 2020)
- Mispadu Banking Trojan Targets Latin America: 90,000+ Credentials Stolen (March 2023)
- Windows SmartScreen bug targeted by new Mispadu trojan variant (February 2024)
References:
- Mispadu: Advertisement for a discounted Unhappy Meal
- Mispadu Banking Trojan Resurfaces
- URSA trojan is back with a new dance
- Breaking Boundaries: Mispadu’s Infiltration Beyond LATAM
