Mispadu
Mispadu is the name of a banking Trojan that seems to target users in Mexico and Brazil. Usually, many of the Latin America-focused banking Trojans tend to work on smartphones, but Mispadu is only compatible with the Windows operating system. Cybersecurity researchers report that the threatening application is being spread via malvertising campaigns that trick users into thinking that they have won a discount code for McDonald's. In addition to the rather new malvertising trick, the authors of the Mispadu Trojan also rely on the good-old phishing emails that trick users into thinking that they have to review an email attachment urgently.
The New Banking Trojan Targets Users in Latin America
Once launched, Mispadu will try to gain persistence on the compromised host by creating a new Windows Registry key that commands the operating system to start the corrupted executable whenever the computer boots up. In addition to this, the Mispadu Trojan also will create a Visual Basic Script (VBS) file, which is launched on startup and serves the purpose of updating the compromised modules.
As soon as Mispadu manages to establish a connection to the remote Command & Control server, it will collect some basic system details and transfer them to the attacker's server – Windows version, language settings, computer name, installed banking applications and installed security software. One of Mispadu's interesting features is that it checks for the presence of a very popular online banking security tool in Brazil – Diebold Warsaw GAS Tecnologia.
Mispadu has the ability to extract stored credentials from Google Chrome, Mozilla Firefox and Internet Explorer. Furthermore, it also can collect credentials from popular email clients like Thunderbird, Outlook and Windows Live Mail. Last but not least, it has a 'clipboard hijacking' module that serves the purpose of replacing copied Bitcoin wallet addresses with ones owned by the attackers. This way, victims might send their Bitcoin to the Mispadu's authors accidentally instead of to their intended recipient.
Maspidu might Drop Corrupted Chrome Extensions to Compromised Hosts
Researchers report that Mispadu also may work in combination with fraudulent Google Chrome extensions that are meant to manipulate the way the Web browser operates. The first component is meant to close all active windows, and then open a new window that is likely to be tampered with. However, a weaponized variant of this module has not been seen yet, so it might not be finished.
The second component, however, is much more treacherous – it has a list of keywords that are compared to the values of 'input' fields found on the website the user is browsing currently. One of the keywords is 'CVV,' so it is clear that the purpose of this component is to collect credit card data. The third component is the most advanced one, and it is meant to generate a fraudulent JavaScript-based login screen whenever the user visits a website that the Mispadu Trojan is meant to target. This way, users might get tricked into providing their login details to the attackers. The latter component also attempts to exploit the Boleto payment system that is very popular in Brazil and is targeted by cybercriminals regularly.
Latin America is targeted by banking Trojans very frequently, and users there should take the necessary actions to protect their computers and smartphones by investing in a reputable anti-virus product.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.