Mispandu Bank Trojan Campaigns Targeting Latin American Organizations for Credential Harvesting

Researchers reported the technical details of 20+ campaigns targeting Latin American organizations with the Mispandu bank trojan.

On March 20, 2023, Metabase Q security researchers reported the technical details of more than 20 different campaigns targeting organizations in Chile, Mexico, Peru, and Portugal with the Mispandu bank trojan. According to the report, the campaigns attempt to “steal credentials from users when accessing online banking, schools, government services, social media, gaming, ecommerce, public repositories, etc., and also targeting Outlook email credentials.”

Technical Details

According to the report, the campaigns leverage HTML pages and password-protected PDF files impersonating invoices and bills. Metabase Q reported that more than 90,000 credentials from more than 17,000 websites in multiple industry verticals, based on data pulled from eight command-and-control (C2) servers.

According to the report, the threat actors behind the campaigns compromise legitimate websites for C2 infrastructure and have an automated payload building process for rapid delivery and scale. The versions of Mispandu being leveraged in the active campaigns includes new features such as:

  • Fake certificates to obfuscate initial stage malware
  • A new .NET-based backdoor able to take screenshots or even send fake Windows to the victim
  • A new RUST-Based Backdoor, this programming language is still not well handled by endpoint protection

IOCs

Metabase Q researchers provided the following indicators of compromise (IOCs):

Indicator

Type

%AppData%\Roaming\herman\a3x\herndon\Factura_Deuda_423534[.]cmd

File Name

%AppData%\Roaming\herman\exe\vayala\jordan[.]exe

File Name

%AppData%\Roaming\herman\a3x\Factura_Deuda_423534[.]a3x

File Name

%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs
\Startup\DriverAudio[.]lnk

File Name

%USER%\Downloads\sastreria[.]xls[.]exe

File Name

%PUBLIC%\gnVzjGd[.]vbs

File Name

104[.]238[.]182[.]44

IP Address

140[.]82[.]47[.]181

IP Address

https://www.zairtaz[.]com/wp-content/plugins/license/inc/
hydra/do/it.php?f=9&w=Windows%2010

URL

https://imberform[.]com/img/?dew98fy348erf7i

URL

http://vasuk[i][.]in/wp-content/img/do/it[.]php?f=9&w=
Windows%207

URL

http://luzca[.]com/img/do/it.php?f=2&w=Windows%207

URL

http://nbviajesacapulco[.]com/pruc/it.php?f=9&w=Windows%207

URL

http://nbviajesacapulco[.]com/pixel/it.php?f=2&w=Windows%207

URL

http://www.castleblack[.]online/cfr/it.php?f=2&w=Windows%207

URL

https://dicktres.com[.]br/pontecom/wp-content/img/do/it.php

URL

https://bdadvisors[.]ma/img/do/it[.]php?f=2&w=Windows%2010

URL

http://blog.traveldealsbd[.]com/images/arrow/do/
it.php?b1=1&v1=1033&v2=1033&v3=
Windows%207&v4=User&v5=X64

URL

http://tripsapata[.]com/assets/images/swan/do/it.php

URL

https://blablamap[.]net/images/arrow/do/it.php

URL

http://facturacion.sat[.]gob.educationalwriters.com/
do/it.php?f=2&w=Windows%207

URL

http://aguiasoft.com[.]br/blog/hydra/do/
it.php?b1=1&v1=3082&v2=2058&v3=windows%
207&v4=admin&v5=x64

URL

http://explanada2023[.]com/wp-includes/stylish/it.
php?f=2&w=Windows%207

URL

http://vaadiandkoh[.]com/ue/app/do/it.php?f=9&w=Windows%207

URL

http://websylvania[.]com/psj/do/it.php?b1=1&v1=3082&v2
=1034&v3=windows%207&v4=admin&v5=x64

URL

http://publicpressmagazine[.]com/images/swan/do/it.
php?b1=1&v1=1033&v2=1033&v3=Windows%207
&v4=User&v5=X86

URL

https://factura61[.]click/2/
?CQ9OCKlYIQOSZqMxY43B80jdDceyL69GLzh6HNkZ

URL

https://sxconstructions[.]com[.]au
/wp-content/img/do/it.php?b1&v1=1033&v2=1033&v3=&v4
=Windows%207&v5=User&v6=X%2086&v7=

URL

https://kh7jv[.]store/?JDCE8IFt3QZJ2Ms4FQv8bp5q9KM6bFvMKUeE7QOLg7
z4Kl9Oa48sMGRJDCE8IFt3QZJ2Ms4FQv8bp5q9KM6b
FvMKUeE7QOLg7z4Kl9Oa48sMGR

URL

https://sxconstructions[.]com.au/wp-content/img/do/it.php?f=2&w=Windows%210

URL

https://sxconstructions[.]com.au/wp-content/img/do/
it.php?info2=DATOS

URL

http://highlineadsl[.]com/ddd/it.php?f=3&w=Windows%207

URL

http://germogenborya[.]top/rest/?h=CODE

URL

http://vaadiandkoh[.]com/ue/app/do/it.php?f=9&w=Windows%207

URL

http://grintour[.]newdestuner[.]xyz/g1

URL

http://grintour.newdestuner[.]xyz/dhyhsh3a.php

URL

https://facturaciones[.]click/?7kqhhbEE9Y1FiEBZ0Uc7izRLyJ2TWdZFK0qnXvXU

URL

http://russk22[.]icu/brbr.txt

URL

https://bola.com[.]au/images/hh/cfdi/do/
it.php?f=2&w=Windows%2010

URL

https://splendidgifts.com[.]my/hiway/ap2/do/
it.phpb1&v1=1033&v2=1033&v3=&v4=Windows
%2010&v5=User&v6=X64

URL

https://tequilamisorpresa[.]com/ytweshdg.php?id=

URL

http://formas-mexico[.]com/formas.xls

URL

germogenborya[.]top

URL

germogenborya[.]at

URL

grintour[.]newdestuner[.]xyz

URL

russk22[.]icu

URL

https://retiro10[.]click/

URL

https://facturaciones[.]click

URL

https://facturasnet[.]store

URL

https://facturaciones3[.]click/

URL

https://retiro10[.]store/

URL

E903B37B1E42D0B8BF0514CB13A46233

MD5

E5967A8274D40E0573C28B664670857E

MD5

0ADB9B817F1DF7807576C2D7068DD931

MD5

2858CDF0B9FB6DDD18709909DF612063

MD5

3FB45296ABDC78792FB609C187B4A89D

MD5

AB80D005BCC4641D5D1AE75FBB2723B9

MD5

0D8D82E1810F549F8645535C836D7AFD

MD5

293B9621798EE17005D1EFFE463A8989

MD5

618A60899AAE66EA55E5DC8374C7B828

MD5

B41E2B88FFF36FF4937DC19F2677EE84

MD5

72e83b133a9e4cecd21fdb47334672f6

MD5

a96125294afa1c3f92ab7be615dc1cbe  

MD5

Subscribe to the Blog

Receive news and RH‑ISAC updates for cybersecurity practitioners from retail, hospitality, and other customer-facing companies, straight to your inbox.

Subscribe Now

More Recent Blog Posts

View All Blogs