Partners:

Quark
Polskie Stowarzyszenie Bitcoin

Mispadu: Dangerous Banking Trojan on European and Latin American Markets

Mispadu, also known as URSA, a banking Trojan, is spreading in Europe and Latin America. This threat, targeting Spanish-speaking users, steals authentication data and sends malicious phishing messages. Morphisec Labs offers a solution to stop Mispadu attacks. C2 servers and stolen data are key components of this ongoing campaign.

Mispadu – Banking Trojan Rampaging in Europe and Latin America

Morphisec Labs reports a rise in activity related to the banking Trojan Mispadu, also known as URSA. This Trojan, first discovered by ESET in 2019, was initially focused on the LATAM markets and Spanish-speaking users. However, its operations have recently expanded to include European countries as well.

Expansion of the Mispadu Trojan

Despite its geographic expansion, Mexico remains the primary target of the campaign. The attacks have resulted in the theft of thousands of authentication credentials, including records dating back to April 2023. This threat leverages the stolen data to send malicious phishing messages, posing a significant risk to recipients.

Stages of the Mispadu Attack

The Mispadu attack consists of multiple stages, starting from phishing emails with PDF attachments, through stages of downloading and executing VB Script scripts, up to the final stage where the Trojan utilizes NirSoft tools to steal authentication data from web browsers and email clients.

Morphisec Labs Solution

Despite continuous modifications, financial Trojans can be effectively stopped by the Automated Moving Target Defense (AMTD) solution offered by Morphisec Labs. With this solution, attacks are halted in their early stages, preventing the installation of malicious software, scripts, and payloads.

C2 Servers and Stolen Data

The Mispadu campaign utilizes two C2 servers: one for downloading payloads and the other for leaking stolen data. The C2 data dates back to April 2023, and currently, the C2 server holds over 60,000 files.

Indexes related to Indicators of Compromise (IOCs) and specific identifiers such as PDF file hashes, MSI, VBS, Bitcoin addresses, and C2 servers used in the Mispadu campaign have also been presented.

banking trojaneuropelatin americamispadumorphisec labs

Related

QakBot: dangerous banking trojan returns with new tricks
QakBot: dangerous banking trojan returns with new tricks
MiCA Regulations and Cryptocurrency Markets: What Does the Delisting of Tether (USDT) on OKX Mean for Europe?
MiCA Regulations and Cryptocurrency Markets: What Does the Delisting of Tether (USDT) on OKX Mean for Europe?
BingX Regulations in Europe: What Determines Accessibility in Different Countries?
BingX Regulations in Europe: What Determines Accessibility in Different Countries?
Europol, a well-known institution, hacked by IntelBroker: Stolen information in the hands of the buyer
Europol, a well-known institution, hacked by IntelBroker: Stolen information in the hands of the buyer