Latin American cybersecurity firm Metabase Q has reported that a banking trojan called Mispadu has been linked to multiple spam campaigns in countries such as Bolivia, Chile, Mexico, Peru, and Portugal.
Mispadu, also known as URSA, was first documented by ESET in November 2019 and can perpetrate monetary and credential theft and act as a backdoor by taking screenshots and capturing keystrokes.
The trojan has also been found to share similarities with other banking trojans targeting the region, like Grandoreiro, Javali, and Lampion.
The hackers use various techniques to infect devices and steal data, one of which involves compromising legitimate websites to turn them into their command-and-control server to spread malware.
They filter out countries they do not wish to infect and drop different types of malware based on the country being infected. The attack chains involving the Delphi malware leverage email messages urging recipients to open fake overdue invoices, thereby triggering a multi-stage infection process.
Mispadu can gather the list of antivirus solutions installed on the compromised host, siphon credentials from Google Chrome and Microsoft Outlook, and facilitate the retrieval of additional malware.
This includes an obfuscated Visual Basic Script dropper that serves to download another payload from a hard-coded domain, a .NET-based remote access tool that can run commands issued by an actor-controlled server, and a loader written in Rust that executes a PowerShell loader to run files directly from memory. Additionally, the malware uses malicious overlay screens to obtain credentials associated with online banking portals and other sensitive information.
According to Metabase Q, the certutil approach has allowed Mispadu to bypass detection by a wide range of security software and harvest over 90,000 bank account credentials from over 17,500 unique websites.
The researchers recommend that users keep their antivirus software updated, avoid clicking on suspicious links or attachments, and enable two-factor authentication to help protect their data.
