The Threat of Mispadu to Chile, Mexico, Peru, and Portugal
A total of twenty spam campaigns were found to have targeted Chile, Mexico, Peru, and Portugal according to Metabaseq researchers‘ investigation.
The primary objective of these campaigns was to steal credentials, particularly targeting online banking, schools, government agencies, social networking, gaming, e-commerce, public repositories, and Outlook email accounts.
Cybercriminals also created fake websites to trick their victims, such as windows for online banking. These attackers used HTML pages or password-protected PDF files to trick victims into opening bogus invoices.
The Usage of TTPs in Mispadu Campaigns
The cybercriminals used tactics, techniques, and processes (TTPs) similar to those of the banking trojan known as Mispadu. ESET discovered Mispadu in 2019, which targeted countries in South America through spamming and malicious advertising activities.
The gang’s malware-as-a-service mode of operation, combined with their high level of activity in the region, makes it essential to monitor this group. As a result, the gang has been continuously launching new sorts of operations, using new methodologies and multiple layers of obfuscation.
Mispadu’s Tactics of Compromising Websites and Language-Based Filtering
The gang uses compromised genuine websites as Command & Control Servers to propagate malware. They scan for outdated versions of content management systems, such as WordPress, to compromise and leverage these websites to spread malware.
They filter out countries they do not want to infect and deploy a unique malicious RAT when they detect an interesting device. Additionally, they avoid considering victims whose system language is Spanish Spain, English United States of America, or Portuguese – Brazil.
Multi-Stage Infection Method and False Certificates
Mispadu uses a multi-stage infection method that breaks down dangerous tactics into their constituent parts to make them harder to detect. The cybercriminals embed malware inside false certificates and use an authorized Windows tool called “certutil” improperly to decode and run the banking malware.
Protecting Against Mispadu and Future Threats
Corporate users, who generally have both antivirus and EDR/XDR security measures in place, have a relatively low infection rate. However, businesses should assume that at some point, an employee will be compromised and devise a plan to reduce the time it takes to detect and respond to security threats. This would help improve the SOC’s monitoring, detection, and response capabilities.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
