The banking trojan often known as Mispadu has expanded its focus past Latin America (LATAM) and Spanish-speaking people to focus on customers in Italy, Poland, and Sweden.
Targets of the continuing marketing campaign embrace entities spanning finance, companies, motorcar manufacturing, legislation companies, and business services, in line with Morphisec.
“Despite the geographic expansion, Mexico remains the primary target,” safety researcher Arnold Osipov mentioned in a report printed final week.
“The campaign has resulted in thousands of stolen credentials, with records dating back to April 2023. The threat actor leverages these credentials to orchestrate malicious phishing emails, posing a significant threat to recipients.”
Mispadu, additionally known as URSA, got here to gentle in 2019, when it was noticed finishing up credential theft actions aimed toward monetary establishments in Brazil and Mexico by displaying faux pop-up home windows. The Delphi-based malware can also be able to taking screenshots and capturing keystrokes.
Sometimes distributed by way of spam emails, current assault chains have leveraged a now-patched Home windows SmartScreen safety bypass flaw (CVE-2023-36025, CVSS rating: 8.8) to compromise customers in Mexico.
The an infection sequence analyzed by Morphisec is a multi-stage course of that commences with a PDF attachment current in invoice-themed emails that, when opened, prompts the recipient to click on on a booby-trapped hyperlink to obtain the whole bill, ensuing within the supply of a ZIP archive.
The ZIP comes with both an MSI installer or an HTA script that is liable for retrieving and executing a Visible Primary Script (VBScript) from a distant server, which, in flip, downloads a second VBScript that finally downloads and launches the Mispadu payload utilizing an AutoIT script however after it is decrypted and injected into reminiscence via a loader.
“This [second] script is heavily obfuscated and employs the same decryption algorithm as mentioned in the DLL,” Osipov mentioned.
“Before downloading and invoking the next stage, the script conducts several Anti-VM checks, including querying the computer’s model, manufacturer, and BIOS version, and comparing them to those associated with virtual machines.”
The Mispadu assaults are additionally characterised by means of two distinct command-and-control (C2) servers, one for fetching the intermediate and final-stage payloads and one other for exfiltrating the stolen credentials from over 200 companies. There are presently greater than 60,000 information within the server.
The event comes because the DFIR Report detailed a February 2023 intrusion that entailed the abuse of malicious Microsoft OneNote information to drop IcedID, utilizing it to drop Cobalt Strike, AnyDesk, and the Nokoyawa ransomware.
Microsoft, precisely a yr in the past, introduced that it will begin blocking 120 extensions embedded inside OneNote information to forestall its abuse for malware supply.
YouTube Movies for Recreation Cracks Serve Malware
The findings additionally come as enterprise safety agency Proofpoint mentioned a number of YouTube channels selling cracked and pirated video video games are appearing as a conduit to ship info stealers equivalent to Lumma Stealer, Stealc, and Vidar by including malicious hyperlinks to video descriptions.
“The videos purport to show an end user how to do things like download software or upgrade video games for free, but the link in the video descriptions leads to malware,” safety researcher Isaac Shaughnessy mentioned in an evaluation printed in the present day.
There’s proof to counsel that such movies are posted from compromised accounts – in a single case taking up a channel with over 800,000 subscribers – however there may be additionally the chance that the menace actors behind the operation have created short-lived accounts for dissemination functions.
All of the movies embrace Discord and MediaFire URLs that time to password-protected archives that finally result in the deployment of the stealer malware.
Proofpoint mentioned it recognized a number of distinct exercise clusters propagating stealers by way of YouTube with an purpose to single out non-enterprise customers. The marketing campaign has not been attributed to a single menace actor or group.
“The techniques used are similar, however, including the use of video descriptions to host URLs leading to malicious payloads and providing instructions on disabling antivirus, and using similar file sizes with bloating to attempt to bypass detections,” Shaughnessy mentioned.
(The story was up to date after publication to incorporate extra particulars from ASEC concerning the stealer campaigns propagating by way of YouTube.)