G1026 Malteiro

Malteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. Malteiro mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).¹

Item	Value
ID	G1026
Associated Names
Version	1.0
Created	13 March 2024
Last Modified	29 March 2024
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.005	Visual Basic	Malteiro has utilized a dropper containing malicious VBS scripts.¹
enterprise	T1555	Credentials from Password Stores	Malteiro has obtained credentials from mail clients via NirSoft MailPassView.¹
enterprise	T1555.003	Credentials from Web Browsers	Malteiro has stolen credentials stored in the victim’s browsers via software tool NirSoft WebBrowserPassView.¹
enterprise	T1140	Deobfuscate/Decode Files or Information	Malteiro has the ability to deobfuscate downloaded files prior to execution.¹
enterprise	T1657	Financial Theft	Malteiro targets organizations in a wide variety of sectors via the use of Mispadu banking trojan with the goal of financial theft.¹
enterprise	T1027	Obfuscated Files or Information	-
enterprise	T1027.013	Encrypted/Encoded File	Malteiro has used scripts encoded in Base64 certificates to distribute malware to victims.²
enterprise	T1566	Phishing	-
enterprise	T1566.001	Spearphishing Attachment	Malteiro has sent spearphishing emails containing malicious .zip files.¹
enterprise	T1055	Process Injection	-
enterprise	T1055.001	Dynamic-link Library Injection	Malteiro has injected Mispadu’s DLL into a process.¹
enterprise	T1518	Software Discovery	-
enterprise	T1518.001	Security Software Discovery	Malteiro collects the installed antivirus on the victim machine.¹
enterprise	T1082	System Information Discovery	Malteiro collects the machine information, system architecture, the OS version, computer name, and Windows product name.¹
enterprise	T1614	System Location Discovery	-
enterprise	T1614.001	System Language Discovery	Malteiro will terminate Mispadu’s infection process if the language of the victim machine is not Spanish or Portuguese.¹
enterprise	T1204	User Execution	-
enterprise	T1204.002	Malicious File	Malteiro has relied on users to execute .zip file attachments containing malicious URLs.¹

Software

ID	Name	References	Techniques
S1122	Mispadu	¹	Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data Visual Basic:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Keylogging:Input Capture GUI Input Capture:Input Capture Native API Encrypted/Encoded File:Obfuscated Files or Information Spearphishing Link:Phishing Process Discovery Process Injection Screen Capture Security Software Discovery:Software Discovery Browser Extensions:Software Extensions Msiexec:System Binary Proxy Execution Rundll32:System Binary Proxy Execution System Information Discovery System Language Discovery:System Location Discovery Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion

References

SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩
SCILabs. (2023, October 8). URSA/Mispadu: Overlap analysis with other threats. Retrieved March 13, 2024. ↩