Mispadu Trojan Targets Europe, Compromises Thousands of Credentials

Mispadu Trojan

The banking trojan known as Mispadu has expanded its focus beyond Latin America (LATAM) and Spanish-speaking individuals to target users in Italy, Poland, and Sweden.

According to Morphisec, targets of the ongoing campaign include entities ranging from finance, services, automotive manufacturing, law firms and commercial facilities.

“Despite the geographic expansion, Mexico remains the primary target,” security researcher Arnold Osipov said in a report published last week.

“The campaign resulted in the theft of thousands of credentials, with records dating back to April 2023. The threat actor leverages these credentials to orchestrate malicious phishing emails, posing a significant threat to recipients.”

Mispadu, also called URSA, came to light in 2019, when it was observed carrying out credential theft activities against financial institutions in Brazil and Mexico by exposing fake pop-up windows. Delphi-based malware is also capable of taking screenshots and capturing keystrokes.

Typically distributed via spam emails, recent attack chains exploited a now-patched Windows SmartScreen security bypass flaw (CVE-2023-36025, CVSS score: 8.8) to compromise users in Mexico.

Cyber ​​security

The infection sequence analyzed by Morphisec is a multi-step process that begins with a PDF attachment present in invoice-themed emails that, when opened, prompts the recipient to click on an explosive link to download the full invoice, with resulting download of a ZIP archive.

The ZIP comes with an MSI installer or HTA script responsible for retrieving and running a Visual Basic script (VBScript) from a remote server, which, in turn, downloads a second VBScript that ultimately downloads and launches the Mispadu payload using an AutoIT script but after it has been decrypted and injected into memory via a loader.

“This [second] The script is heavily obfuscated and uses the same decryption algorithm mentioned in the DLL,” Osipov said.

“Before downloading and invoking the next step, the script performs several Anti-VM checks, including querying the computer’s model, manufacturer, and BIOS version, and comparing it to those associated with the virtual machines.”

Mispadu attacks are also characterized by the use of two distinct command and control (C2) servers, one to recover mid- and final-phase payloads and another to exfiltrate stolen credentials from over 200 services. There are currently more than 60,000 files on the server.

The development comes as the DFIR report details a February 2023 intrusion that involved the abuse of malicious Microsoft OneNote files to delete IcedID, using it to delete Cobalt Strike, AnyDesk and Nokoyawa ransomware.

Microsoft, exactly one year ago, announced that it would begin blocking 120 extensions embedded in OneNote files to prevent their abuse for malware distribution.

YouTube videos related to game cracks serve malware

The findings also come as enterprise security firm Proofpoint said several YouTube channels promoting cracked and pirated video games are acting as a conduit to deliver information thieves such as Lumma Stealer, Stealc and Vidar by adding malicious links to video descriptions.

Cyber ​​security

“The videos purport to show the end user how to do things like download software or update video games for free, but the link in the video descriptions leads to malware,” security researcher Isaac Shaughnessy said in an analysis published today.

There is evidence to suggest that such videos are posted from compromised accounts, but there is also the possibility that the threat actors behind the operation created short-lived accounts for dissemination purposes.

All videos include Discord and MediaFire URLs that point to password-protected archives which ultimately lead to the distribution of the stealer malware.

Proofpoint said it has identified multiple distinct activity clusters propagating thieves via YouTube with the goal of targeting non-enterprise users. The campaign was not attributed to a single actor or threat group.

“The techniques used are similar, however, including using video descriptions to host URLs that lead to malicious payloads and providing instructions on how to disable antivirus and use similarly sized files with bloat to attempt to bypass detections,” he said. Shaughnessy said.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read the most exclusive content we publish.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *