S1122 Mispadu
Mispadu is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.13 This malware is operated, managed, and sold by the Malteiro cybercriminal group.3 Mispadu has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.342
| Item | Value |
|---|---|
| ID | S1122 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 13 March 2024 |
| Last Modified | 18 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Mispadu creates a link in the startup folder for persistence.1 Mispadu adds persistence via the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run.5 |
| enterprise | T1217 | Browser Information Discovery | Mispadu can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.23 |
| enterprise | T1115 | Clipboard Data | Mispadu has the ability to capture and replace Bitcoin wallet data in the clipboard on a compromised host.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.005 | Visual Basic | Mispadu’s dropper uses VBS files to install payloads and perform execution.31 |
| enterprise | T1555 | Credentials from Password Stores | Mispadu has obtained credentials from mail clients via NirSoft MailPassView.321 |
| enterprise | T1555.003 | Credentials from Web Browsers | Mispadu can steal credentials from Google Chrome.315 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Mispadu decrypts its encrypted configuration files prior to execution.31 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Mispadu contains a copy of the OpenSSL library to encrypt C2 traffic.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Mispadu can sends the collected financial data to the C2 server.13 |
| enterprise | T1083 | File and Directory Discovery | Mispadu searches for various filesystem paths to determine what banking applications are installed on the victim’s machine.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Mispadu can log keystrokes on the victim’s machine.154 |
| enterprise | T1056.002 | GUI Input Capture | Mispadu can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.23 |
| enterprise | T1106 | Native API | Mispadu has used a variety of Windows API calls, including ShellExecute and WriteProcessMemory.23 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | Mispadu uses a custom algorithm to obfuscate its internal strings and uses hardcoded keys.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.002 | Spearphishing Link | Mispadu has been spread via malicious links embedded in emails.3 |
| enterprise | T1057 | Process Discovery | Mispadu can enumerate the running processes on a compromised host.1 |
| enterprise | T1055 | Process Injection | Mispadu’s binary is injected into memory via WriteProcessMemory.23 |
| enterprise | T1113 | Screen Capture | Mispadu has the ability to capture screenshots on compromised hosts.3415 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Mispadu can list installed security products in the victim’s environment.15 |
| enterprise | T1176 | Software Extensions | - |
| enterprise | T1176.001 | Browser Extensions | Mispadu utilizes malicious Google Chrome browser extensions to steal financial data.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | Mispadu has been installed via MSI installer.31 |
| enterprise | T1218.011 | Rundll32 | Mispadu uses RunDLL32 for execution via its injector DLL.1 |
| enterprise | T1082 | System Information Discovery | Mispadu collects the OS version, computer name, and language ID.1 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | Mispadu checks and will terminate execution if the compromised system’s language ID is not Spanish or Portuguese.23 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Mispadu has relied on users to execute malicious files in order to gain execution on victim machines.153 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Mispadu can run checks to verify if it is running within a virtualized environments including Hyper-V, VirtualBox or VMWare and will terminate execution if the computer name is “JOHN-PC.”13 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1026 | Malteiro | 3 |
References
-
ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Pedro Tavares (Segurança Informática). (2020, September 15). Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader. Retrieved March 13, 2024. ↩↩↩↩↩↩↩↩
-
SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
SCILabs. (2023, May 23). Evolution of banking trojan URSA/Mispadu. Retrieved March 13, 2024. ↩↩↩
-
Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024. ↩↩↩↩↩↩
-
SCILabs. (2023, October 8). URSA/Mispadu: Overlap analysis with other threats. Retrieved March 13, 2024. ↩