{"id":4033,"date":"2019-11-20T09:22:25","date_gmt":"2019-11-20T07:22:25","guid":{"rendered":"https:\/\/blog.eset.ee\/?p=4033"},"modified":"2019-11-20T09:22:26","modified_gmt":"2019-11-20T07:22:26","slug":"eset-identifies-latin-american-banking-trojan-mispadu-targeting-victims-with-malicious-facebook-ads","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2019\/11\/20\/eset-identifies-latin-american-banking-trojan-mispadu-targeting-victims-with-malicious-facebook-ads\/","title":{"rendered":"ESET identifies Latin American banking trojan, Mispadu, targeting victims with malicious Facebook ads"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Similar to the<a href=\"https:\/\/www.welivesecurity.com\/2019\/08\/01\/banking-trojans-amavaldo\/\"> Amavaldo<\/a> and <a href=\"https:\/\/www.welivesecurity.com\/2019\/10\/03\/casbaneiro-trojan-dangerous-cooking\/\">Casbaneiro<\/a> malware families recently described by ESET, Mispadu is written in Delphi and targets victims through the use of fake pop-up windows trying to persuade potential victims to share their personal details and credentials. The Mispadu banking trojan, which primarily targets Brazil and Mexico, contains backdoor functionality, can take screenshots, simulates mouse and keyboard actions, and captures keystrokes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The\nESET research team has seen the Mispadu family using two different distribution\nmethods \u2013 spam and malvertising. While the former is common among Latin\nAmerican banking trojans, the latter is quite rare. The threat actor behind\nMispadu places sponsored advertisements on Facebook that offer fake discount\ncoupons for McDonald\u2019s. Clicking on the advertisement leads the potential\nvictim to a malicious webpage where a ZIP file containing an MSI installer,\nmasquerading as a discount coupon, can be downloaded. If downloaded and\nexecuted, a chain of three scripts follows, resulting in the download and\nexecution of the Mispadu banking trojan. The trojan uses four potentially\nunwanted applications, all modified copies of legitimate software, to extract\nthe victim\u2019s stored credentials from web browsers and email clients.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In\nBrazil, Mispadu has been seen also distributing an interesting, malicious\nGoogle Chrome extension. The extension claims to \u201cProtect your Chrome,\u201d but\ninstead it attempts to steal credit card and online banking data, and can even compromise\nBoleto, a popular payment system in Brazil that uses a barcode-based ticketing\nsystem to transfer payments. The Boleto component of the Mispadu malware attack\nis its most advanced feature, as it replaces the legitimate barcode on a Boleto\nticket with one connected to the attacker\u2019s bank account, generated via the\nabuse of a legitimate website.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Similar to the Amavaldo and Casbaneiro malware families recently described by ESET, Mispadu is written in Delphi and targets victims through the use of fake pop-up windows trying to persuade potential victims to share their personal details and credentials. The Mispadu banking trojan, which primarily targets Brazil and Mexico, contains backdoor functionality, can take screenshots, [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":4034,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[147],"tags":[],"class_list":["post-4033","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybercrime"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/4033","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=4033"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/4033\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/4034"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=4033"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=4033"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=4033"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}