The Mispadu banking trojan is using a McDonalds malvertising tactic to ultimately steal payment-card data and online banking information. Written in Delphi, Mispadu targets Brazil and Mexico, uses pop-up windows and contains backdoor functionality.
According to researchers at ESET, Mispadu spreads via email as well as sponsored advertisements on Facebook. These offer fake discount coupons for McDonalds with the call out, “Use them on any September day! Independence coupons. Get yours now.”
If someone clicks the ad, they’re taken to a phony McDonalds website with a button that says, “I want!/Generate coupon.” Clicking this in turn downloads a ZIP archive to the victim machine containing an MSI installer, according to an analysis published on Tuesday.
The MSI installer sets off a chain Visual Basic Scripts (VBS scripts) that ultimately end with a loader, which checks the language identifier of the target to verify that it is indeed located in Brazil or Mexico, sets up configuration files, connects to its command-and-control (C2) server and downloads the banking trojan.
“We believe this malware family is targeting the general public,” said the researchers. “Its main goals are monetary and credential theft.”
The threat actors are abusing the Russian service Yandex.Mail to store the malicious payloads, according to the analysis: They likely sent themselves an email with the malicious coupon as an attachment, and then point potential victims to a direct link to this attachment.
As for its backdoor functionality, Mispadu can take screenshots, simulate mouse and keyboard actions, and capture keystrokes. It collects computer fingerprinting information about its victim machines, and checks to see if Diebold Warsaw GAS Tecnologia is installed (researchers said that this is a popular application in Brazil used to protect access to online banking). It also of course monitors for installed banking applications, and also monitors the content of the clipboard and tries to replace potential bitcoin wallets with its own.
In addition, it vacuums up credentials.
“The banking trojan executable comes with four potentially unwanted applications stored in its resource section,” researchers explained. “These applications are all otherwise legitimate files from Nirsoft, but have been patched to run from the command line with no GUI. They are used by the malware to extract stored credentials from browsers (Google Chrome, Mozilla Firefox, Internet Explorer), and email clients (Microsoft Outlook, Mozilla Thunderbird, and Windows Live Mail, among others).”
Google Chrome Extension
In Brazil, Mispadu also distributes a malicious Google Chrome extension. ESET found that the extension’s goal is to steal payment-card information and sensitive banking data, but also to steal money from its victims by compromising the county’s Boleto online payment system.
The extension ironically purports to be a Chrome protection utility named “Securty [sic] System 1.0.” Researchers found that it consists of three malicious JavaScript files. One simply creates a new Google Chrome window and closes all others.
The second component is bent on payment-card theft: “In pages served from [a hardcoded list of websites], it looks for any input field containing the words ‘text,’ ’email,’ ‘tel,’ ‘number,’ ‘password’ or ‘radio.’ If ‘CVV’ or ‘CÓD SEG’ or their variants are found anywhere on the website, the content of those input fields is sent to the attacker when the victim submits the information.”
The third component is focused on the Boleto payment system. Users can pay for things by printing a ticket (“boleto” to Portuguese) with an ID number specific to the bank account that should receive the payment, and a barcode. Payment is made by scanning the barcode.
“The system has been an attractive target for attackers for a long time,” ESET noted. “[In this case], using a regular expression, the malware component tries to find the ID number and replace it with the attacker’s (obtained dynamically). Additionally, it abuses a legitimate website to generate the payment barcode using the attacker’s account number and replaces the legitimate one with that.”
The Chrome extension approach is not new; in 2017 Google removed from the Chrome Web Store a malicious browser extension used by criminals in Brazil to target corporate users with the aim of stealing banking credentials. The attackers found out via social networks whom inside an organization was closely involved in making financial transactions; those victims were then contacted over the phone by the criminals posing as bank employees who urged the victims to install an update to the bank’s security module, otherwise threatening them that they would lose access to their account.
Stats and Future Activity
In its analysis, ESET found that the campaign has generated 100,000 clicks in Brazil, across desktop and mobile platforms. The effort is recurring, and was seen in the first part of September and then again at the beginning of October.
“The clicks originating from Android are most likely the result of the fact that the advertisement is shown on Facebook regardless of the user’s device,” the researchers said.
They also found that Mispadu is evolving.
“We found an open directory on one of the servers Mispadu uses, and files connected to a very similar campaign were stored there,” according to the report. “Those files can be used to set up a webpage imitating AreaVIP (a tabloid website in Brazil) and to force a fake Adobe Flash Player update on its potential victims. We have not observed that campaign in the wild and believe it may be a setup for the future.”
Latin America has emerged as a hotbed of innovative banking malware. In May, researchers discovered a banking trojan making waves in Brazil dubbed MnuBot. It’s used to perform illegal transactions on victims’ open banking sessions, using an unusual command and control (C&C) server and a full-screen social-engineering overlay form.
And in April, the Metamorfo trojan was spotted using “spray and pray” spam tactics to ensnare victims. Across the various offensives, the bad actors are abusing legitimate, signed binaries to load the malicious code.
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.