Mispadu Banking Trojan Resurfaces

Additional insights and analysis by Don Ladores and Raphael Centeno

Recent spam campaigns leading to URSA/Mispadu banking trojan (detected by Trend Micro as TrojanSpy.Win32.MISPADU.THIADBO) have been uncovered, as reported by malware analyst Pedro Tavares in a Twitter post and by Seguranca Informatica in a blog post. Mispadu malware steals credentials from users’ systems.

This attack targets systems with Spanish and Portuguese as system languages. It is also likely that they have targets similar to previous Mispadu attacks where users from Mexico, Spain, Portugal, and other nearby regions were targeted. This behavior is in line with past Mispadu schemes, such as the one where spam emails for fake discount coupons were used as bait.

Analysis of the campaigns

For this particular case, Mispadu’s entry vector is spam, similar to past campaigns involving the malware. By sending messages that refer to overdue invoices, attackers create a seemingly urgent situation that then persuades receivers to download a .zip file from malicious URLs.

This zip file contains an MSI (Microsoft Installer file) that has a VBScript. This is followed by three layers of obfuscation that, when deobfuscated, reveal the final VBScript file that executes an AutoIT Loader/Injector.

The final VBScript also retrieves data on the operating system version. If the script detects a virtual environment such as the following, the script terminates its execution:

• Hyper-V
• VirtualBox
• VMWare

It also inspects whether the system is using any of the following languages:

As aforementioned, the attackers are targeting users whose machines are set to use these identified languages. If the system is using a different language ID from those listed, the attack process stops. It also terminates the attack if the computer name is equal to “JOHN-PC.”

The final VBScript also loads the AutoIT file, which loads into the memory the final payload: a Delphi file containing the trojan code and processes. The Delphi binary executes a browser banking overlay that steals the victim’s data and uses the name and logo of legitimate banks.

Figures 1-2. Fake banking overlays using logos of legitimate banks

The binary also has two legitimate tools, NirSoft’s WebBrowserPassView and Mail PassView, which can collect user’s data.

Delving deeper into related attacks, we analyzed indicators of compromise (IOCs) shared in a Twitter post by CronUp Red Team and Threat Intelligence Leader Germán Fernández. The tweet shared information such as open-dir logs supposedly used by the malware. Using this information, we were able to analyze related malicious files and dig up some possible exfiltration sites (URLs) from the samples we analyzed. This list is featured in the IOC portion. Behavior-wise, the results of the analysis echo Tavares’ findings.

Banking on protection against spam

As institutions directly handling finances, banks are attractive targets for cybercriminals who are after monetary gain. Trojans are one of the tools threat actors use to steal from users of banking systems, and spam is one of the ways that they are propagated.

To avoid compromise brought about by malicious emails, the following steps are recommended:

• Never open links or download attachments from emails from untrusted sources.
• Check if the sender’s email address is spoofed.
• Inspect the email for grammatical errors or misspelled words, which are common in spam emails.
• Contact the companies that supposedly sent the emails to verify that the messages came from them.

Here are some recommended security solutions for protecting yourself from spam:

• Trend Micro™ Email Security – protects systems against spam, phishing, Business Email Compromise (BEC), and other email threats.
• Trend Micro™ Deep Discovery™ Email Inspector – has an optimal gateway module that filters inbound messages based on senders, spam and phishing filters, and content.

Indicators of Compromise

URLs

• hxxp://01fckgwxqweod01.ddns.net
• hxxp://01odinxqwefck01.ddns.net
• hxxp://02fckgwxqweod02.ddnsking.com
• hxxp://02odinxqwefck02.ddnsking.com
• hxxp://03fckgwxqweod03.3utilities.com
• hxxp://03odinxqwefck03.3utilities.com
• hxxp://04fckgwxqweod04.bounceme.net
• hxxp://04odinxqwefck04.bounceme.net
• hxxp://05fckgwxqweod05.freedynamicdns.net
• hxxp://05odinxqwefck05.freedynamicdns.net
• hxxp://06fckgwxqweod06.freedynamicdns.org
• hxxp://06odinxqwefck06.freedynamicdns.org
• hxxp://07fckgwxqweod07.gotdns.ch
• hxxp://07odinxqwefck07.gotdns.ch
• hxxp://08fckgwxqweod08.hopto.org
• hxxp://08odinxqwefck08.hopto.org
• hxxp://09fckgwxqweod09.myddns.me
• hxxp://09odinxqwefck09.myddns.me
• hxxp://10fckgwxqweod10.myftp.biz
• hxxp://10odinxqwefck10.myftp.biz
• hxxp://11fckgwxqweod11.myftp.org
• hxxp://11odinxqwefck11.myftp.org
• hxxp://12fckgwxqweod12.ddns.net
• hxxp://12odinxqwefck12.ddns.net
• hxxp://13fckgwxqweod13.ddnsking.com
• hxxp://13odinxqwefck13.ddnsking.com
• hxxp://14fckgwxqweod14.3utilities.com
• hxxp://14odinxqwefck14.3utilities.com
• hxxp://15fckgwxqweod15.bounceme.net
• hxxp://15odinxqwefck15.bounceme.net
• hxxp://16fckgwxqweod16.freedynamicdns.net
• hxxp://16odinxqwefck16.freedynamicdns.net
• hxxp://17fckgwxqweod17.freedynamicdns.org
• hxxp://17odinxqwefck17.freedynamicdns.org
• hxxp://18fckgwxqweod18.gotdns.ch
• hxxp://18odinxqwefck18.gotdns.ch
• hxxp://19fckgwxqweod19.hopto.org
• hxxp://19odinxqwefck19.hopto.org
• hxxp://20fckgwxqweod20.myddns.me
• hxxp://20odinxqwefck20.myddns.me
• hxxp://21fckgwxqweod21.myftp.biz
• hxxp://21odinxqwefck21.myftp.biz
• hxxp://22fckgwxqweod22.myftp.org
• hxxp://22odinxqwefck22.myftp.org
• hxxp://23fckgwxqweod23.ddns.net
• hxxp://23odinxqwefck23.ddns.net
• hxxp://24fckgwxqweod24.ddnsking.com
• hxxp://24odinxqwefck24.ddnsking.com
• hxxp://25fckgwxqweod25.3utilities.com
• hxxp://25odinxqwefck25.3utilities.com
• hxxp://26fckgwxqweod26.bounceme.net
• hxxp://26odinxqwefck26.bounceme.net
• hxxp://27fckgwxqweod27.freedynamicdns.net
• hxxp://27odinxqwefck27.freedynamicdns.net
• hxxp://28fckgwxqweod28.freedynamicdns.org
• hxxp://28odinxqwefck28.freedynamicdns.org
• hxxp://29fckgwxqweod29.gotdns.ch
• hxxp://29odinxqwefck29.gotdns.ch
• hxxp://30fckgwxqweod30.hopto.org
• hxxp://30odinxqwefck30.hopto.org
• hxxp://31fckgwxqweod31.myddns.me
• hxxp://31odinxqwefck31.myddns.me
• hxxp://87.98.137.173/
• hxxp://87.98.137.173/gt21.php
• hxxp://87.98.137.173/k1oa
• hxxp://87.98.137.173/m/k1