Mispadu stealer

Aliases

Mispadu trojan, Mispadu

Tags

MalwareTrojanRATBackdoor

Techniques

PhishingMalvertisingMisconfigured Wordpress abuse

Incidents

Windows SmartScreen vulnerability exploited by Mispadu trojan

References

https://unit42.paloaltonetworks.com/mispadu-infostealer-variant/https://www.metabaseq.com/threat/mispadu-banking-trojan/

Last edited

Aug 7, 2024 7:57 AM

Mispadu, a banking trojan discovered by ESET around 2019, targets Latin American countries through spamming and malvertising campaigns. Known for its high activity and malware-as-a-service operations, Mispadu frequently launches new campaigns with varying obfuscation techniques, complicating system protection efforts. One of their key tactics involves compromising legitimate websites with vulnerable Content Management Systems like WordPress to use as Command & Control servers. These servers selectively spread malware, filtering targets by country and deploying specific payloads, including a unique RAT for high-value targets like bank employees. Mispadu's campaigns avoid infecting systems with Spanish (Spain), English (U.S.), and Portuguese (Brazil) languages. The group rapidly develops new malware variants, reflecting their familiarity with major banks in the region and suggesting their programmers, likely from Chile, incorporate local slang into their code. Recent campaigns have introduced novel techniques such as fake certificates for obfuscation, a .NET-based backdoor for screenshots and fake windows, and a RUST-based backdoor, which poses challenges for endpoint protection.