Mispadu Banking Trojan Targets Latin America: 90,000+ Credentials Stolen

[silversurfer]

Content source

https://thehackernews.com/2023/03/mispadu-banking-trojan-targets-latin.html

A banking trojan dubbed Mispadu has been linked to multiple spam campaigns targeting countries like Bolivia, Chile, Mexico, Peru, and Portugal with the goal of stealing credentials and delivering other payloads.

The activity, which commenced in August 2022, is currently ongoing, Ocelot Team from Latin American cybersecurity firm Metabase Q said in a report shared with The Hacker News.

Mispadu (aka URSA) was first documented by ESET in November 2019, describing its ability to perpetrate monetary and credential theft and act as a backdoor by taking screenshots and capturing keystrokes.

"One of their main strategies is to compromise legitimate websites, searching for vulnerable versions of WordPress, to turn them into their command-and-control server to spread malware from there, filtering out countries they do not wish to infect, dropping different type of malware based on the country being infected," researchers Fernando García and Dan Regalado said.

Mispadu Banking Trojan Targets Latin America: 90,000+ Credentials Stolen

Mispadu banking trojan targets Latin American countries, compromising legit websites and stealing credentials.

thehackernews.com

 

[upnorth]

To our surprise, almost every anti-virus available on the market was bypassed by the infection. A full list of vendors bypassed, taken from one of the C2 servers, is below:

Microsoft Defender, Acronis Cyber Protect, Avast Total Security, Bitdefender Endpoint Security, Carbon Black Cloud, Cisco Secure Endpoint, ESET NOD32, F-Secure, FortiClient, Kaspersky, Malwarebytes, McAfee Anti-Virus, Norton Antivirus/Security Ultra, Panda Dome, Reason Cybersecurity, Sentinel Agent, Sophos Home, Spybot, Symantec Endpoint, Total AV, Trellix Endpoint, 360 Total Security, Avira Security, Baidu Antivirus, COMODO Antivirus, Cybereason AV, Cylance PROTECT and AVG Antivirus.

This helps to explain the large number of infected machines during these campaigns. It is important to note that based on Metabase Q’s SOC visibility, EDR-based protection was able to block the infection successfully. This indicates that anti-virus-only protection is not enough.

Inside Mispadu massive infection campaign in LATAM - Metabase Q

Fernando Garcia & Dan Regalado Ocelot team Context The Metabase Q Security Operations Center (SOC) triages millions of alerts a day but a recent attempt to infect a customer’s network caught our attention. Although the customers’ endpoint detection and response security tools properly blocked...

www.metabaseq.com