ESET identifies Latin American banking trojan, Mispadu, targeting victims with malicious Facebook ads

ESET, a global leader in cybersecurity, continues its research into Latin American banking trojans with the identification of another previously unknown malware family, Mispadu.

Similar to the Amavaldo and Casbaneiro malware families recently described by ESET, Mispadu is written in Delphi and targets victims through the use of fake pop-up windows trying to persuade potential victims to share their personal details and credentials. The Mispadu banking trojan, which primarily targets Brazil and Mexico, contains backdoor functionality, can take screenshots, simulates mouse and keyboard actions, and captures keystrokes.

The ESET research team has seen the Mispadu family using two different distribution methods – spam and malvertising. While the former is common among Latin American banking trojans, the latter is quite rare. The threat actor behind Mispadu places sponsored advertisements on Facebook that offer fake discount coupons for McDonald’s. Clicking on the advertisement leads the potential victim to a malicious webpage where a ZIP file containing an MSI installer, masquerading as a discount coupon, can be downloaded. If downloaded and executed, a chain of three scripts follows, resulting in the download and execution of the Mispadu banking trojan. The trojan uses four potentially unwanted applications, all modified copies of legitimate software, to extract the victim’s stored credentials from web browsers and email clients.

In Brazil, Mispadu has been seen also distributing an interesting, malicious Google Chrome extension. The extension claims to “Protect your Chrome,” but instead it attempts to steal credit card and online banking data, and can even compromise Boleto, a popular payment system in Brazil that uses a barcode-based ticketing system to transfer payments. The Boleto component of the Mispadu malware attack is its most advanced feature, as it replaces the legitimate barcode on a Boleto ticket with one connected to the attacker’s bank account, generated via the abuse of a legitimate website.