Mispadu Stealer, also known as Ursa, has resurfaced in a malspam campaign, specifically targeting users whose systems are set to Spanish or Portuguese. This tactic aims to increase infection rates in specific regions, taking advantage of familiar language cues to prompt unsuspecting users to download malicious files. The initial infection vector is a phishing email disguised as an overdue invoice, a strategy commonly used to induce urgency and increase the likelihood of user interaction.
Upon opening the email, victims are directed to download a ZIP file containing an MSI installer embedded with multiple layers of obfuscated VBScript. This script is designed to evade detection and complicate analysis, ensuring the malware remains hidden within the system. The VBScript then proceeds to unpack additional components, ultimately executing an AutoIT-based Loader/Injector that further expands the malware’s reach within the infected environment.
The AutoIT Loader begins by collecting specific OS version details, which helps the malware adapt its behavior to suit the victim’s system configuration. The information gathering serves multiple purposes, including ensuring compatibility with the targeted OS and determining additional system vulnerabilities. By tailoring its approach, the malware maximizes its potential for persistence and avoids drawing attention from security software.
Throughout the infection, Mispadu uses both file-based and web-based techniques to carry out its payload delivery and data extraction. Detection tools have flagged various signatures, such as Scr.Malcode!gen and Trojan.Gen.NPE, which indicate the presence of general threats and malicious web activity. This approach makes Mispadu a particularly evasive threat, capitalizing on social engineering and advanced obfuscation to remain undetected while continuing to steal sensitive data from targeted systems.
Reference: