CYBER NEWS

Mispadu Trojan Uses Malicious McDonalds Ads on Facebook to Spread

A new malicious campaign had been discovered, carrying the Mispadu backdoor and banking Trojan.




The backdoor is using a malvertising trick to spread, and is hiding behind a McDonalds ad to steal payment card information from users. For now, users in Brazil and Mexico are targeted, but the Trojan can quickly adopt new countries in its target list.

Mispadu Trojan: Technical Overview

According to ESET researchers, the Mispadu Trojan is written in Delphi. The Trojan is using fake pop-up windows in an attempt to trick potential victims into revealing personal information. The backdoor functionality includes the capability of taking screenshots, simulating mouse and keyboard movements, and capturing keystrokes. The Trojan can update itself using a VBS file.

It seems that Mispadu is one of a series of Trojans targeting Latin America. It is similar to other such Trojans in terms of the information it collects, including OS version, computer name, language ID, installed security solutions.

The malware also checks if Diebold Warsaw GAS Tecnologia (an application, popular in Brazil, to protect access to online banking) is installed on the system, and it also scans for installed banking apps popular in Latin America.
In terms of propagation, the Trojan is using a McDonalds advertising trick to steal payment card data and online banking details. However, the Trojan can also be distributed via malspam.

Related:
A cybersecurity researcher came across two open and publicly accessible MongoDB instances that appear to be part of the Gootkit network.
Banking Trojan Databases Leak Sensitive Details of 2 Million Users

In the case of malvertising, the user would be tricked to click on an ad (most likely a sponsored ad on Facebook) that would redirect them to a bogus McDonalds website saying that “I want!/Generate coupon”. If the potential victim clicks on the ad, they will download a ZIP file which contains an MSI installer.

It appears that Mispadu’s operators compiled two different versions of the malware based on the country targeted. Attacks also vary in terms of installers and stages, according to the country. Nonetheless, the malware follows the same logic in all attacks.

In Brazil, the Trojan also delivers a malicious Google Chrome extension. The researchers discovered that the purpose of the extension is not only to steal payment card and banking data, but also to steal money from victims by compromising the Boleto’s online payment system.

Apparently, Latin America is becoming a focal point for banking malware. This year security researchers came across several banking Trojans targeting this territory.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...