In a notable expansion of its operations, the banking trojan known as Mispadu has shifted its attention from its initial focus on Latin America to include targets in Italy, Poland, and Sweden. Initially identified in 2019, Mispadu has evolved into a significant threat, particularly against sectors including finance, law, motor vehicle manufacturing, and various services, as reported by cybersecurity firm Morphisec.
According to security researcher Arnold Osipov, while the malware now addresses a broader audience, Mexico remains its primary target. The ongoing campaign has resulted in the theft of thousands of user credentials, some dating back to April 2023. Mispadu’s operators exploit these credentials to craft persuasive phishing emails, amplifying the risks posed to recipients and their sensitive information.
Mispadu, which has also been referred to as URSA, initially gained notoriety for its credential theft tactics aimed at financial institutions in Brazil and Mexico. The malware employs Delphi coding and has capabilities that include taking screenshots and logging keystrokes. It typically enters systems via spam emails, but recent attack campaigns have taken advantage of a now-addressed Windows Security flaw (CVE-2023-36025, CVSS score: 8.8) to compromise users, particularly in Mexico.
In a detailed analysis, Morphisec outlined the infection chain of the Mispadu malware. It initiates with a PDF attachment embedded in invoice-themed emails. When opened, these attachments prompt the user to click on a compromised link, resulting in the download of a ZIP archive. This archive may contain an MSI installer or an HTA script tasked with fetching and executing a Visual Basic Script (VBScript) from a remote location. This VBScript further retrieves another VBScript that ultimately delivers the Mispadu payload, employing an AutoIT script for decryption and execution directly in memory.
The sophistication of the attack is amplified by the script’s heavy obfuscation and advanced anti-VM checks, which evaluate system attributes such as the computer’s model and manufacturer against known virtual machine configurations. This mitigates detection efforts by security tools.
Mispadu’s operational security also involves the deployment of two separate command-and-control (C2) servers. One server is used for delivering intermediate and final payloads, while the other is dedicated to exfiltrating stolen credentials from over 200 services. Currently, the server is reported to host more than 60,000 files containing sensitive data.
The activity surrounding Mispadu coincides with findings from the DFIR Report, which uncovered a related intrusion using compromised Microsoft OneNote files to deploy IcedID, alongside other malicious tools such as Cobalt Strike and AnyDesk. In light of these developments, Microsoft announced measures a year ago to block 120 different file extensions from being embedded within OneNote files to curtail their misuse in malware distributions.
In a related cybersecurity concern, enterprise security firm Proofpoint reported that several YouTube channels promoting cracked and pirated video games serve as conduits for malware distribution. These channels link to malicious software in their descriptions, leading unsuspecting users to download information stealers like Lumma Stealer, Stealc, and Vidar. This indicates a troubling trend where threat actors exploit popular platforms for malicious ends.
As these incidents reveal, businesses must remain vigilant against evolving cybersecurity threats. Utilizing frameworks like the MITRE ATT&CK matrix can aid organizations in understanding and mitigating potential tactics employed by adversaries, including initial access methods and the persistence of such threats in a rapidly changing digital landscape.
