The banking Trojan is known as mispadu It has expanded its focus from Latin American (LATAM) and Spanish-speaking individuals to target users in Italy, Poland and Sweden.
Morphisec said the ongoing campaign is targeting entities in sectors such as finance, services, motor vehicle manufacturing, law firms and commercial facilities.
“Despite the expanded geographic scope, Mexico remains a primary target,” security researcher Arnold Osipov said in a report released last week.
“This campaign resulted in the theft of thousands of credentials, with records dating back to April 2023. Threat actors used these credentials to craft malicious phishing emails that pose a significant threat to recipients.”
Mispadu, also known as URSA, came to light in 2019 when it was observed performing credential theft campaigns targeting financial institutions in Brazil and Mexico by displaying fake pop-ups. Delphi-based malware is also capable of taking screenshots and capturing keystrokes.
The latest attack chain, typically distributed via spam emails, exploits a now-patched Windows SmartScreen security bypass flaw (CVE-2023-36025, CVSS score: 8.8) to compromise users in Mexico.
The infection sequence analyzed by Morphisec is a multi-stage process that begins with the presence of a PDF attachment in an invoice-themed email. When opened, the recipient is prompted to click on a booby link to download the full invoice, resulting in the download of a ZIP archive. .
The ZIP comes with an MSI installer or HTA script that is responsible for retrieving and executing a Visual Basic Script (VBScript) from the remote server, which downloads a second VBScript and ultimately uses AutoIT to download and launch the Mispadu payload script, but After it is decrypted and injected into memory via the loader.
“this [second] The script was heavily obfuscated and used the same decryption algorithm as mentioned in the DLL,” Osipov said.
“Before downloading and invoking the next stage, the script performs multiple anti-VM checks, including querying the computer’s model, manufacturer, and BIOS version and comparing them to VM-related checks.”
Another hallmark of the Mispadu attack is the use of two different command and control (C2) servers, one used to obtain intermediate and final stage payloads, and another used to exfiltrate stolen credentials from more than 200 services. There are currently over 60,000 files in the server.
The DFIR report details a February 2023 breach that involved the misuse of malicious Microsoft OneNote archives to remove IcedID and its use to remove Cobalt Strike, AnyDesk and Nokoyawa ransomware.
A year ago, Microsoft announced that it would begin blocking 120 extensions embedded in OneNote files to prevent their misuse for malware distribution.
YouTube game hack videos serve malware
Enterprise security firm Proofpoint says multiple YouTube channels promote cracked and pirated video games, serving as conduits for information-stealing programs such as Lumma Stealer, Stealc and Vidar by adding malicious links in video descriptions.
安全研究員艾薩克·肖內西(Isaac Shaughnessy) 在今天發布的分析中表示:「這些影片旨在向最終用戶展示如何免費下載軟體或升級視訊遊戲等操作,但影片描述中的連結會導致惡意software.”
There is evidence that such videos were posted from compromised accounts, but it is also possible that the threat actors behind this operation created short-lived accounts for the purpose of dissemination.
All videos contain Discord and MediaFire URLs that lead to password-protected archives, ultimately leading to the deployment of the stealer’s malware.
Proofpoint said it has discovered several distinct clusters of activity that are spreading stealers through YouTube with the goal of singling out non-enterprise users. This activity has not been attributed to a single threat actor or group.
“However, the techniques used are similar, including using video descriptions to host URLs that lead to malicious payloads and providing instructions for disabling antivirus software, as well as using similar file sizes and bloat to attempt to bypass detection,” Shaughnessy said.
