A new malicious campaign had been discovered, carrying the Mispadu backdoor and banking Trojan.
The backdoor is using a malvertising trick to spread, and is hiding behind a McDonalds ad to steal payment card information from users. For now, users in Brazil and Mexico are targeted, but the Trojan can quickly adopt new countries in its target list.
Mispadu Trojan: Technical Overview
According to ESET researchers, the Mispadu Trojan is written in Delphi. The Trojan is using fake pop-up windows in an attempt to trick potential victims into revealing personal information. The backdoor functionality includes the capability of taking screenshots, simulating mouse and keyboard movements, and capturing keystrokes. The Trojan can update itself using a VBS file.
It seems that Mispadu is one of a series of Trojans targeting Latin America. It is similar to other such Trojans in terms of the information it collects, including OS version, computer name, language ID, installed security solutions.
The malware also checks if Diebold Warsaw GAS Tecnologia (an application, popular in Brazil, to protect access to online banking) is installed on the system, and it also scans for installed banking apps popular in Latin America.
In terms of propagation, the Trojan is using a McDonalds advertising trick to steal payment card data and online banking details. However, the Trojan can also be distributed via malspam.
In the case of malvertising, the user would be tricked to click on an ad (most likely a sponsored ad on Facebook) that would redirect them to a bogus McDonalds website saying that “I want!/Generate coupon”. If the potential victim clicks on the ad, they will download a ZIP file which contains an MSI installer.
It appears that Mispadu’s operators compiled two different versions of the malware based on the country targeted. Attacks also vary in terms of installers and stages, according to the country. Nonetheless, the malware follows the same logic in all attacks.
In Brazil, the Trojan also delivers a malicious Google Chrome extension. The researchers discovered that the purpose of the extension is not only to steal payment card and banking data, but also to steal money from victims by compromising the Boleto’s online payment system.
Apparently, Latin America is becoming a focal point for banking malware. This year security researchers came across several banking Trojans targeting this territory.