Mispadu: Dangerous Banking Trojan on European and Latin American Markets
Mispadu – Banking Trojan Rampaging in Europe and Latin America
Morphisec Labs reports a rise in activity related to the banking Trojan Mispadu, also known as URSA. This Trojan, first discovered by ESET in 2019, was initially focused on the LATAM markets and Spanish-speaking users. However, its operations have recently expanded to include European countries as well.
Expansion of the Mispadu Trojan
Despite its geographic expansion, Mexico remains the primary target of the campaign. The attacks have resulted in the theft of thousands of authentication credentials, including records dating back to April 2023. This threat leverages the stolen data to send malicious phishing messages, posing a significant risk to recipients.
Stages of the Mispadu Attack
The Mispadu attack consists of multiple stages, starting from phishing emails with PDF attachments, through stages of downloading and executing VB Script scripts, up to the final stage where the Trojan utilizes NirSoft tools to steal authentication data from web browsers and email clients.
Morphisec Labs Solution
Despite continuous modifications, financial Trojans can be effectively stopped by the Automated Moving Target Defense (AMTD) solution offered by Morphisec Labs. With this solution, attacks are halted in their early stages, preventing the installation of malicious software, scripts, and payloads.
C2 Servers and Stolen Data
The Mispadu campaign utilizes two C2 servers: one for downloading payloads and the other for leaking stolen data. The C2 data dates back to April 2023, and currently, the C2 server holds over 60,000 files.
Indexes related to Indicators of Compromise (IOCs) and specific identifiers such as PDF file hashes, MSI, VBS, Bitcoin addresses, and C2 servers used in the Mispadu campaign have also been presented.