Mispadu – Banking Trojan Uses Fake McDonalds’ Advertisements to Spread
First discovered in late 2019, Mispadu is a banking trojan that is written in Delphi and targets potential victims using fake pop-up windows, with the goal of persuading victims to share their personal details and banking credentials. The banking trojan, which targets users primarily in Brazil and Mexico, also contains backdoor functionality, can take screenshots of the user’s current screen, simulates mouse and keyboard inputs, and can capture keystrokes. The malware uses NirSoft’s WebBrowserPassView and Mail PassView to collect user’s data.
While the threat actors behind Mispadu have utilized both spam and malvertising to distribute the banking trojan, they are best known for having placed fake McDonald’s advertisements on Facebook that offered fake discount coupons. Once a user clicks on the fake advertisements they are redirected to a malicious webpage where a ZIP file containing an MSI installer, masquerading as a discount coupon, can be downloaded. If executed, a chain of three scripts follows, resulting in the download and execution of the Mispadu banking trojan. The trojan then uses four applications, all modified copies of legitimate software, to extract the victim’s stored credentials from both web browsers and email clients. The trojan’s other entry vector, spam, is done by sending messages that refer to overdue invoices, thus creating a sense of urgency for unsuspecting victims. The users are then directed to a similar site as mentioned earlier and are persuaded to download a ZIP file containing the previously mentioned MSI installer. It’s important to note that the MSI installer is capable of extracting data on the user’s system and can check to see if it is being run in a virtualized environment. If it is, the script terminates its execution.
Both attack vectors for this malware (spam and malvertising) both rely on misleading user’s into interacting with malicious files and downloads, thus this attack relies heavily on social engineering. In order to best protect yourself from these kinds of attacks, the following steps are strong recommended:
- Never open links or download attachments from emails from untrusted sources.
- Check if the sender’s email address is spoofed.
- Inspect the email for grammatical errors or misspelled words, which are common in spam emails.
- Contact the companies that supposedly sent the emails to verify that the messages came from them.
If you or anyone within your organization has been infected with the Mispadu Banking Trojan, please follow these instructions to rid your machines of the malware.
Sources:
Indicators of Compromise (IOCs):
- URLs
- hxxp://01fckgwxqweod01.ddns.net
- hxxp://01odinxqwefck01.ddns.net
- hxxp://02fckgwxqweod02.ddnsking.com
- hxxp://02odinxqwefck02.ddnsking.com
- hxxp://03fckgwxqweod03.3utilities.com
- hxxp://03odinxqwefck03.3utilities.com
- hxxp://04fckgwxqweod04.bounceme.net
- hxxp://04odinxqwefck04.bounceme.net
- hxxp://05fckgwxqweod05.freedynamicdns.net
- hxxp://05odinxqwefck05.freedynamicdns.net
- hxxp://06fckgwxqweod06.freedynamicdns.org
- hxxp://06odinxqwefck06.freedynamicdns.org
- hxxp://07fckgwxqweod07.gotdns.ch
- hxxp://07odinxqwefck07.gotdns.ch
- hxxp://08fckgwxqweod08.hopto.org
- hxxp://08odinxqwefck08.hopto.org
- hxxp://09fckgwxqweod09.myddns.me
- hxxp://09odinxqwefck09.myddns.me
- hxxp://10fckgwxqweod10.myftp.biz
- hxxp://10odinxqwefck10.myftp.biz
- hxxp://11fckgwxqweod11.myftp.org
- hxxp://11odinxqwefck11.myftp.org
- hxxp://12fckgwxqweod12.ddns.net
- hxxp://12odinxqwefck12.ddns.net
- hxxp://13fckgwxqweod13.ddnsking.com
- hxxp://13odinxqwefck13.ddnsking.com
- hxxp://14fckgwxqweod14.3utilities.com
- hxxp://14odinxqwefck14.3utilities.com
- hxxp://15fckgwxqweod15.bounceme.net
- hxxp://15odinxqwefck15.bounceme.net
- hxxp://16fckgwxqweod16.freedynamicdns.net
- hxxp://16odinxqwefck16.freedynamicdns.net
- hxxp://17fckgwxqweod17.freedynamicdns.org
- hxxp://17odinxqwefck17.freedynamicdns.org
- hxxp://18fckgwxqweod18.gotdns.ch
- hxxp://18odinxqwefck18.gotdns.ch
- hxxp://19fckgwxqweod19.hopto.org
- hxxp://19odinxqwefck19.hopto.org
- hxxp://20fckgwxqweod20.myddns.me
- hxxp://20odinxqwefck20.myddns.me
- hxxp://21fckgwxqweod21.myftp.biz
- hxxp://21odinxqwefck21.myftp.biz
- hxxp://22fckgwxqweod22.myftp.org
- hxxp://22odinxqwefck22.myftp.org
- hxxp://23fckgwxqweod23.ddns.net
- hxxp://23odinxqwefck23.ddns.net
- hxxp://24fckgwxqweod24.ddnsking.com
- hxxp://24odinxqwefck24.ddnsking.com
- hxxp://25fckgwxqweod25.3utilities.com
- hxxp://25odinxqwefck25.3utilities.com
- hxxp://26fckgwxqweod26.bounceme.net
- hxxp://26odinxqwefck26.bounceme.net
- hxxp://27fckgwxqweod27.freedynamicdns.net
- hxxp://27odinxqwefck27.freedynamicdns.net
- hxxp://28fckgwxqweod28.freedynamicdns.org
- hxxp://28odinxqwefck28.freedynamicdns.org
- hxxp://29fckgwxqweod29.gotdns.ch
- hxxp://29odinxqwefck29.gotdns.ch
- hxxp://30fckgwxqweod30.hopto.org
- hxxp://30odinxqwefck30.hopto.org
- hxxp://31fckgwxqweod31.myddns.me
- hxxp://31odinxqwefck31.myddns.me
- hxxp://87.98.137.173/
- hxxp://87.98.137.173/gt21.php
- hxxp://87.98.137.173/k1oa
- hxxp://87.98.137.173/m/k1
- SHA-256
- 048afd4276b67b78fdb03714c3bcc766f83407ea4012aa6eae9de5c7cb2d87b8
- 073f9d7bbdca94b3e6f5e572522e8ed17629abf6ef27f0e6a65895a107b52881
- 0d57869a4d6509a13ff48af46492f1a8bb2ee33f5c01897e6ccdc4dd29b1cc85
- 1590e809dbad3c77d555e1354125537e80294d0847e7867cc8a9b5893eb2269f
- 23892054f9494f0ee6f4aa8749ab3ee6ac13741a0455e189596edfcdf96416b3
- 2f21d474ca430cab72f924117ace06d8c5b42377a993fe8f6fd4c52733e04575
- 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
- 58fae847c81a61fe43b12885b9886303e58ad4f96d53393a146999ad4d700c4f
- 5b91c8acffe1980653718a493e24bde7211ee825ea2947df54c03e9733d61a70
- 779e52e5dd7f28a6d51a333f651da4e50ff0aabdd99a4f341159ba76363b4c10
- 93488eab403fafb3d8e10d38c80f0af745e3fa4cf26228acff24d35a149f6269
- c96b32d44a44cd6f1496f88bc22739b9dd885b56af05ae925fbb57706ad48420
- d1fb8a5061fc40291cc02cec0f1c2d13168b17d22ffcabea62816e14ed58e925
- de7168cd978a33926ea7ffad027cc151aa1ea2d2f2581da3ce4fe22bad25c904
- f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
- fb91bdd5ee38a3e163231fa78fd85e2da890e4e116ac530f2b4879e0e50a76a5