Mispadu

Mispadu is a banking Trojan whose activity appears to be concentrated in the Brazilian and Mexican regions. Unlike most banking Trojans nowadays, which are both desktop and mobile-compatible, the Mispadu Trojan only works with desktop systems running the Windows operating system. It would appear that the creators of the Mispadu banking Trojan are propagating it via malvertising operations. The targets will be tricked into believing that they have won a coupon for McDonald’s restaurants. Apart from malvertising, the attackers have opted to use phishing email campaigns that contain an infected attachment.

Gaining Persistence and Collecting Data

When the Mispadu Trojan manages to infiltrate a targeted host, it will attempt to gain persistence by tampering with the Windows Registry, ensuring that when the victims restart their computers, the banking Trojan also will be launched. The Mispadu Trojan is able to apply updates to its modules by utilizing a VBS (Visual Basic Script) file that also will be executed when the infected machine is started. Next, the Mispadu banking Trojan will make sure to connect to the attackers’ C&C (Command & Control) server and transfer any relevant information about banking related software, language settings, anti-malware applications, computer name, Windows version, etc. It has been reported that the Mispadu Trojan scans the compromised systems for a security tool regarding a banking software called Diebold Warsaw GAS Technologia. This security tool is rather popular in Brazil, and it is likely that the authors of the Mispadu Trojan are making sure it will not interfere with their attack.

Collects Login Credentials and Has a Clipboard Hijacker Module

The Mispadu banking Trojan is capable of collecting login credentials regarding popular email services – Outlook, Windows Live Mail, Thunderbird, etc. The banking Trojan also can gather emails and passwords from the most popular Web browsers – Mozilla Firefox, Google Chrome and Internet Explorer. Another nasty trick that the Mispadu Trojan has in the bag is clipboard hijacking. This threat can detect if the victim has copied a cryptocurrency wallet address and swap it with their own wallet address without the user noticing. This means that the victims will be sending their cryptocurrency to the attackers instead of whom it was addressed to originally.

Looks for Keywords

The Mispadu banking Trojan may have been used in unison with a fake Google Chrome extension, which is likely tampering with the Web browser of the user. This means that the threat may be capable of closing all windows the user had opened and instead launch a compromised window. It also can scan fields present on the page that the user is browsing and search for certain keywords. It was reported that among these keywords is ‘CVV.’ This makes it clear that the attackers are after the victims’ credit card information. The Mispadu malware also may be able to launch a fake login screen where the users are urged to fill in their login credentials – this trick appears to be used against Brazilian users who use the Boleto payment portal mainly.

The Mispadu banking Trojan is a very potent threat, and users in Brazil and Mexico should be very wary of this nasty threat. This, however, does not mean that users worldwide are safe either, as the attackers always can modify the Mispadu Trojan and expand its reach to other countries.