It has been denounced by FBI and the U.S. Department of Homeland Security cybersecurity experts: It could arrive from Russian Ryuk ransomware gang.
ESET: It’s dubbed Mispadu and is banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. Its goals are monetary and credential theft
It’s dubbed Mispadu and is banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. It has been discovered by ESET cyber security experts. This malware family is targeting the general public. Its main goals are monetary and credential theft. In Brazil, researchers have seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system. The malicious code is written in Delphi and attacks its victims by displaying fake pop-up windows and trying to persuade the potential victims to divulge sensitive information. For its backdoor functionality, the malware can take screenshots, simulate mouse and keyboard actions, and capture keystrokes. It can update itself via a Visual Basic Script (VBS) file that it downloads and executes.
The information collected by the malware
According the cyber security experts, Mispadu, as with the other Latin American banking trojans, collects information about its victims, namely:
- OS version
- computer name
- language ID
- whether Diebold Warsaw GAS Tecnologia (an application, popular in Brazil, to protect access to online banking) is installed
- list of installed common Latin American banking applications
- list of installed security products
As in the cases of Amavaldo and Casbaneiro, the malware can also be identified by its use of a unique, custom cryptographic algorithm to obfuscate the strings in its code. This is used in all components, as well as to protect its configuration files and C&C communications. The banking trojan executable comes with four potentially unwanted applications stored in its resource section. These applications are all otherwise legitimate files from Nirsoft, but have been patched to run from the command line with no GUI.
How the malware works according the cyber security experts
Mispadu employs two distribution methods: spam (and malvertising. While the former method is very common for Latin American banking trojans, the latter is not. Cybercrime placed sponsored advertisements on Facebook offering fake discount coupons for McDonald’s. Clicking the advertisements leads the potential victim to one specific webpage. Regardless of a visitor’s OS, clicking the button there leads to downloading a ZIP archive containing an MSI installer. Occasionally, this archive also contains legitimate software such as Mozilla Firefox or PuTTY, but they are mere decoys and are not used at all. Malware operators compiled two different versions of the banking trojan based on the country it attacks. Besides that, they decided to use different installers and subsequent stages for each attacked country.
Photo Credits: ESET