Inside Mispadu massive infection campaign in LATAM

For the initial infection, the attackers tried to lure the victims into opening different types of fake bills via HTML pages or PDF password-protected files.

The techniques, tactics and procedures (TTPs) used during these campaigns resembles the banking trojan Mispadu, however contains new components that have not been seen before.
Analysts will go into further detail in this blog.

Mispadu was discovered by ESET and is known to target Latin American countries via spamming and malvertising campaigns.
It is an important group to monitor given it’s high level of activity in the region along with its malware-as-a-service modus operandi.
As a result, the group has constantly launched new types of campaigns, containing different layers of obfuscation and new techniques, making it difficult to fully protect systems against it.

One of their main strategies is to compromise legitimate websites and use them as Command & Control Servers to further spread malware.
They accomplish this by searching for and compromising websites with vulnerable versions of Content Management Systems, like WordPress.
From there, they leverage these websites to spread malware in a customized manner, such as filtering out countries that they do not wish to infect, dropping different types of malware based on the country being infected and even deploying a unique malicious RAT (Remote Administration Tool) when they detect an interesting device, like a computer from a bank’s employee.

During these campaigns, the group discard any victim with the following system languages:

Spanish Spain
English United States
Portuguese – Brazil
Because the cyber criminals have a payload building process automated, they can deliver new variants of malware rapidly and thus scale and support multiple campaigns in parallel.

Based on analysis of the malware, it is clear that the group is very familiar with the main banks and institutions in the targeted Latin American countries.
Multiple Spanish words found in their malware suggest that several of the programmers may be Latinos, and specifically may be from Chile based on the slang utilized in the comments.

Metabase Q also discovered several new techniques that were added in this massive infection that enabled the cyber criminals to access thousands of credentials:

Fake certificates to obfuscate initial stage malware
A new .NET-based backdoor able to take screenshots or even send fake Windows to the victim
A new RUST-Based Backdoor, this programming language is still not well handled by endpoint protection

Mispadu is uniquely effective for several key reasons.

First, their multi-stage infection strategy splits the malicious techniques into different components, making it harder to detect.
Second, as referenced in the introduction, the cyber criminals hide the malware inside of fake certificates so it’s harder to detect.
They then misuse a legitimate windows program “certutil” to decode and execute the banking trojan.

But then the question is, how many endpoint protections were bypassed by these techniques?

Every C2 Server holds a list of infected machines, this help us to identify the type of endpoint protection that Mispadu was able to bypass, below an extract of this file which shows: Date and time of infection, source IP address from victim, country code, Windows OS version, type of payload dropped (AutoIt), and Endpoint protection software installed.

Almost every anti-virus available on the market was bypassed by the infection.
A full list of vendors bypassed, taken from one of the C2 servers, is below:

Microsoft Defender, Acronis Cyber Protect, Avast Total Security, Bitdefender Endpoint Security, Carbon Black Cloud, Cisco Secure Endpoint, ESET NOD32, F-Secure, FortiClient, Kaspersky, Malwarebytes, McAfee Anti-Virus, Norton Antivirus/Security Ultra, Panda Dome, Reason Cybersecurity, Sentinel Agent, Sophos Home, Spybot, Symantec Endpoint, Total AV, Trellix Endpoint, 360 Total Security, Avira Security, Baidu Antivirus, COMODO Antivirus, Cybereason AV, Cylance PROTECT and AVG Antivirus.

This helps to explain the large number of infected machines during these campaigns.
It is important to note that based on Metabase Q’s SOC visibility, EDR-based protection was able to block the infection successfully.
This indicates that anti-virus-only protection is not enough.