Mispadu Banking Trojan Spreads Across Europe, Compromising Thousands of Credentials

April 3, 2024

The Mispadu banking Trojan, also known as URSA, has expanded its operations from Latin America and Spanish-speaking individuals to include targets in Italy, Poland, and Sweden. The ongoing campaign is affecting a variety of sectors, including finance, services, motor vehicle manufacturing, law firms, and commercial facilities, as reported by Morphisec. Arnold Osipov, a security researcher, noted in a recent report that 'Despite the geographic expansion, Mexico remains the primary target.' He revealed that the campaign has compromised thousands of credentials, some dating back to April 2023. These stolen credentials are used to execute malicious phishing emails, posing a significant risk to those who receive them.

Mispadu was first detected in 2019, conducting credential theft activities targeted at financial institutions in Brazil and Mexico by displaying fake pop-up windows. The Delphi-based malware can also take screenshots and capture keystrokes. It is typically distributed via spam emails, but recent attacks have exploited a now-patched Windows SmartScreen security bypass flaw (CVE-2023-36025) to compromise users in Mexico. The infection process starts with a PDF attachment in invoice-themed emails. When the recipient opens the attachment, they are prompted to click on a booby-trapped link to download the complete invoice, which is actually a ZIP archive. This ZIP file contains either an MSI installer or an HTA script that retrieves and executes a Visual Basic Script (VBScript) from a remote server. This VBScript then downloads a second VBScript that eventually downloads and launches the Mispadu payload using an AutoIT script, but only after it has been decrypted and injected into memory by a loader.

Mispadu attacks are characterized by the use of two distinct command-and-control (C2) servers. One server fetches the intermediate and final-stage payloads, while the other exfiltrates the stolen credentials from over 200 services. There are currently more than 60,000 files on the server. This information comes as the DFIR Report detailed a February 2023 intrusion that involved the misuse of malicious Microsoft OneNote files to drop IcedID, which was then used to drop Cobalt Strike, AnyDesk, and the Nokoyawa ransomware. Microsoft announced a year ago that it would start blocking 120 extensions embedded in OneNote files to prevent its abuse for malware delivery.

Enterprise security firm Proofpoint has reported that several YouTube channels promoting cracked and pirated video games are serving as conduits for delivering information stealers such as Lumma Stealer, Stealc, and Vidar by including malicious links in video descriptions. Isaac Shaughnessy, a security researcher, stated in an analysis published today that 'The videos purport to show an end user how to do things like download software or upgrade video games for free, but the link in the video descriptions leads to malware.' There is evidence to suggest that these videos are posted from compromised accounts, but it is also possible that the threat actors behind the operation have created short-lived accounts for distribution purposes. All the videos include Discord and MediaFire URLs that lead to password-protected archives that ultimately result in the deployment of the stealer malware.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.