A banking Trojan from Latin America attacks Italy, Poland, and Sweden.
The Mispadu Banking Trojan, previously known for attacks on Latin America and Spanish-speaking users, is now targeting residents of Italy, Poland, and Sweden. According to the research company Morphisec, the campaign targets representatives of the financial sector, services, automobile manufacturing, law firms and commercial institutions.
Despite the expansion of the geography of attacks, the main target of attackers remains Mexico. "The campaign resulted in the theft of thousands of credentials starting in April 2023. Attackers use this data to organize fraudulent phishing mailings that pose a significant threat to recipients," says security researcher Arnold Osipov.
The Mispadu trojan was first detected in 2019 during attacks on financial institutions in Brazil and Mexico, where fake pop-ups were used to steal credentials. The malware, written in Delphi, is also capable of taking screenshots and intercepting keystrokes.
The main method of distributing the Trojan is phishing mailings and exploiting the Windows SmartScreen bypass vulnerability (CVE-2023-36025 with a CVSS rating of 8.8), which allowed it to infect users in Mexico.
Mispadu attacks are characterized by a multi-stage infection scheme that begins with PDF attachments in emails related to invoices. Opening such an attachment leads to clicking on a malicious link to download the full version of the invoice, which leads to downloading the ZIP archive. This archive contains either an MSI installer or an HTA script that starts the process of downloading and executing malicious code through a series of VBScript and AutoIt scripts after decryption and injection into memory.
"Before loading and calling the next stage, the script performs several checks on the virtual machine, including requesting the computer model, manufacturer, and BIOS version, comparing them with the data associated with the virtual machines," Osipov said.
In addition, two different C2 servers are used for Mispadu attacks: one for receiving intermediate and final load stages, and the other for exfiltrating stolen credentials from more than 200 services. According to the researchers, the exfiltration server currently stores more than 60,000 files.
The expansion of the scope of the Mispadu banking Trojan underscores the importance of global vigilance and joint efforts in the fight against cybercrime. Modern technologies provide attackers with new opportunities for attacks, requiring users and organizations to constantly update their knowledge in the field of cybersecurity and apply effective protection tools.
The Mispadu Banking Trojan, previously known for attacks on Latin America and Spanish-speaking users, is now targeting residents of Italy, Poland, and Sweden. According to the research company Morphisec, the campaign targets representatives of the financial sector, services, automobile manufacturing, law firms and commercial institutions.
Despite the expansion of the geography of attacks, the main target of attackers remains Mexico. "The campaign resulted in the theft of thousands of credentials starting in April 2023. Attackers use this data to organize fraudulent phishing mailings that pose a significant threat to recipients," says security researcher Arnold Osipov.
The Mispadu trojan was first detected in 2019 during attacks on financial institutions in Brazil and Mexico, where fake pop-ups were used to steal credentials. The malware, written in Delphi, is also capable of taking screenshots and intercepting keystrokes.
The main method of distributing the Trojan is phishing mailings and exploiting the Windows SmartScreen bypass vulnerability (CVE-2023-36025 with a CVSS rating of 8.8), which allowed it to infect users in Mexico.
Mispadu attacks are characterized by a multi-stage infection scheme that begins with PDF attachments in emails related to invoices. Opening such an attachment leads to clicking on a malicious link to download the full version of the invoice, which leads to downloading the ZIP archive. This archive contains either an MSI installer or an HTA script that starts the process of downloading and executing malicious code through a series of VBScript and AutoIt scripts after decryption and injection into memory.
"Before loading and calling the next stage, the script performs several checks on the virtual machine, including requesting the computer model, manufacturer, and BIOS version, comparing them with the data associated with the virtual machines," Osipov said.
In addition, two different C2 servers are used for Mispadu attacks: one for receiving intermediate and final load stages, and the other for exfiltrating stolen credentials from more than 200 services. According to the researchers, the exfiltration server currently stores more than 60,000 files.
The expansion of the scope of the Mispadu banking Trojan underscores the importance of global vigilance and joint efforts in the fight against cybercrime. Modern technologies provide attackers with new opportunities for attacks, requiring users and organizations to constantly update their knowledge in the field of cybersecurity and apply effective protection tools.
