Infosec Watchtower Logo

Global Expansion of Mispadu Malware: A Rising Threat to Cybersecurity

Charles M. Walls | April 3, 2024 | Views: 198

A digital landscape dominated by the Mispadu banking trojan, showcasing its global expansion beyond Latin America to include Italy, Poland.

The notorious banking malware Mispadu, initially targeting Latin America and Spanish-speakers, has widened its net to include Italy, Poland, and Sweden. This shift reflects an ongoing campaign affecting a diverse range of sectors such as finance, automotive manufacturing, legal firms, and retail, as highlighted by cybersecurity experts at Morphisec.

Arnold Osipov, a security researcher with Morphisec, revealed, "Mexico continues to be the primary focus of these attacks." He further noted that the campaign has compromised thousands of user credentials since April 2023, with attackers using these stolen details to launch sophisticated phishing schemes, significantly elevating the risk for those targeted.

First detected in 2019, Mispadu, also known as URSA, has been infamous for its financial institution attacks in Brazil and Mexico, tricking users with fraudulent pop-up windows. Built with Delphi, this malware is adept at taking screenshots and logging keystrokes, making it particularly dangerous.

Recent attacks have utilized spam emails to distribute the malware, cleverly exploiting a fixed vulnerability in Windows SmartScreen (CVE-2023-36025) to target Mexican users. Morphisec's in-depth analysis reveals a complex infection chain that begins with a seemingly innocent PDF in an invoice-themed email. This PDF lures recipients into downloading a ZIP file that harbors the malware, either through an MSI installer or an HTA script. This script pulls a VBScript from a remote server, which then retrieves and activates the Mispadu payload in a highly sophisticated manner.

Osipov explained, "This script uses advanced obfuscation techniques and a decryption algorithm previously identified in the malware's DLL." He added that the script conducts thorough checks to avoid detection by virtual machines before proceeding to the next attack stage.

The intricate Mispadu attack structure also involves dual command-and-control servers, serving different roles in the malware's deployment and the harvesting of credentials from over 200 services. To date, the server houses upwards of 60,000 compromised files.

In related cybersecurity news, the DFIR Report recently uncovered a February 2023 cyber intrusion involving the misuse of malicious Microsoft OneNote files to deploy various malware, highlighting ongoing threats in the digital landscape. Additionally, Microsoft's proactive measures against OneNote malware exploitation and Proofpoint's discovery of malware dissemination through cracked game tutorials on YouTube underscore the evolving tactics of cybercriminals targeting individual users.

Isaac Shaughnessy of Proofpoint shed light on this trend, pointing out that some YouTube channels are seemingly exploiting software cracks to spread malware, including Lumma Stealer, Stealc, and Vidar, under the guise of free game upgrades or software downloads. Despite some of these malicious activities stemming from hacked accounts, there's a growing concern over the creation of disposable accounts specifically for spreading malware.

Shaughnessy elaborated on the operation's sophistication, noting the strategic use of video descriptions and disabling antivirus instructions to bypass security measures. This highlights an urgent need for vigilance among users and underscores the continuous battle against cyber threats in our increasingly connected world.

Source of Inspiration