Malteiro
Malteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. Malteiro mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | 从密码存储中获取凭证 |
Malteiro has obtained credentials from mail clients via NirSoft MailPassView.[1] |
|
| .003 | Credentials from Web Browsers |
Malteiro has stolen credentials stored in the victim’s browsers via software tool NirSoft WebBrowserPassView.[1] |
||
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Malteiro has the ability to deobfuscate downloaded files prior to execution.[1] |
|
| Enterprise | T1059 | .005 | 命令与脚本解释器: Visual Basic |
Malteiro has utilized a dropper containing malicious VBS scripts.[1] |
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Malteiro has used scripts encoded in Base64 certificates to distribute malware to victims.[2] |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Malteiro has relied on users to execute .zip file attachments containing malicious URLs.[1] |
| Enterprise | T1614 | .001 | 系统位置发现: System Language Discovery |
Malteiro will terminate Mispadu's infection process if the language of the victim machine is not Spanish or Portuguese.[1] |
| Enterprise | T1082 | 系统信息发现 |
Malteiro collects the machine information, system architecture, the OS version, computer name, and Windows product name.[1] |
|
| Enterprise | T1657 | 财务窃取 |
Malteiro targets organizations in a wide variety of sectors via the use of Mispadu banking trojan with the goal of financial theft.[1] |
|
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Malteiro collects the installed antivirus on the victim machine.[1] |
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection | |
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Malteiro has sent spearphishing emails containing malicious .zip files.[1] |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S1122 | Mispadu | [1] | 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 剪贴板数据, 加密通道: Asymmetric Cryptography, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Visual Basic, 屏幕捕获, 文件和目录发现, 本机API, 浏览器信息发现, 浏览器扩展, 混淆文件或信息: Encrypted/Encoded File, 用户执行: Malicious File, 系统二进制代理执行: Msiexec, 系统二进制代理执行: Rundll32, 系统位置发现: System Language Discovery, 系统信息发现, 虚拟化/沙盒规避: System Checks, 软件发现: Security Software Discovery, 输入捕获: Keylogging, 输入捕获: GUI Input Capture, 进程发现, 进程注入, 通过C2信道渗出, 钓鱼: Spearphishing Link |