Mispadu
Mispadu is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.[1][2] This malware is operated, managed, and sold by the Malteiro cybercriminal group.[2] Mispadu has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.[2][3][4]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | 从密码存储中获取凭证 |
Mispadu has obtained credentials from mail clients via NirSoft MailPassView.[2][4][1] |
|
| .003 | Credentials from Web Browsers | |||
| Enterprise | T1115 | 剪贴板数据 |
Mispadu has the ability to capture and replace Bitcoin wallet data in the clipboard on a compromised host.[1] |
|
| Enterprise | T1573 | .002 | 加密通道: Asymmetric Cryptography |
Mispadu contains a copy of the OpenSSL library to encrypt C2 traffic.[4] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Mispadu decrypts its encrypted configuration files prior to execution.[2][1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Mispadu creates a link in the startup folder for persistence.[1] Mispadu adds persistence via the registry key |
| Enterprise | T1059 | .005 | 命令与脚本解释器: Visual Basic |
Mispadu’s dropper uses VBS files to install payloads and perform execution.[2][1] |
| Enterprise | T1113 | 屏幕捕获 |
Mispadu has the ability to capture screenshots on compromised hosts.[2][3][1][5] |
|
| Enterprise | T1083 | 文件和目录发现 |
Mispadu searches for various filesystem paths to determine what banking applications are installed on the victim’s machine.[1] |
|
| Enterprise | T1106 | 本机API |
Mispadu has used a variety of Windows API calls, including ShellExecute and WriteProcessMemory.[4][2] |
|
| Enterprise | T1217 | 浏览器信息发现 |
Mispadu can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.[4][2] |
|
| Enterprise | T1176 | 浏览器扩展 |
Mispadu utilizes malicious Google Chrome browser extensions to steal financial data.[1] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Mispadu uses a custom algorithm to obfuscate its internal strings and uses hardcoded keys.[1] Mispadu also uses encoded configuration files and has encoded payloads using Base64.[1][2][6] |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Mispadu has relied on users to execute malicious files in order to gain execution on victim machines.[1][5][2] |
| Enterprise | T1218 | .007 | 系统二进制代理执行: Msiexec | |
| .011 | 系统二进制代理执行: Rundll32 |
Mispadu uses RunDLL32 for execution via its injector DLL.[1] |
||
| Enterprise | T1614 | .001 | 系统位置发现: System Language Discovery |
Mispadu checks and will terminate execution if the compromised system’s language ID is not Spanish or Portuguese.[4][2] |
| Enterprise | T1082 | 系统信息发现 |
Mispadu collects the OS version, computer name, and language ID.[1] |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
Mispadu can run checks to verify if it is running within a virtualized environments including Hyper-V, VirtualBox or VMWare and will terminate execution if the computer name is "JOHN-PC."[1][2] |
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Mispadu can list installed security products in the victim’s environment.[1][5] |
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
Mispadu can log keystrokes on the victim's machine.[1][5][3] |
| .002 | 输入捕获: GUI Input Capture |
Mispadu can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.[4][2] |
||
| Enterprise | T1057 | 进程发现 |
Mispadu can enumerate the running processes on a compromised host.[1] |
|
| Enterprise | T1055 | 进程注入 |
Mispadu's binary is injected into memory via |
|
| Enterprise | T1041 | 通过C2信道渗出 |
Mispadu can sends the collected financial data to the C2 server.[1][2] |
|
| Enterprise | T1566 | .002 | 钓鱼: Spearphishing Link |
Mispadu has been spread via malicious links embedded in emails.[2] |
Groups That Use This Software
References
- Pedro Tavares (Segurança Informática). (2020, September 15). Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader. Retrieved March 13, 2024.
- Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024.
- SCILabs. (2023, October 8). URSA/Mispadu: Overlap analysis with other threats. Retrieved March 13, 2024.