MISPADU: theft of credentials through keylogging

Since June of this year and throughout the last quarter of the year, a banking malware for Windows systems has been increasing its number of victims and stealing their banking credentials. Mispadu is a Brazilian banking trojan that has been around since the end of 2019, however, it didn't become very active until this winter.

Between June and September of this year, new campaigns have been launched for this malware, with the most noteworthy part being the increase in the number of affected entities. In its beginnings, it was focused on stealing credentials from Latin American banking entities, however, in these most recent campaigns, its authors have seemed to also be interested in the Spanish market, having added several Spanish and Portuguese entities to the list.

Apparently, the authors of Brazilian bankers have always been interested in victims from Latin America, but only in the last year have they shown greater interest in Spanish entities. Mispadu is simply another of the Brazilian trojans that has spread to Spain; this same year, bank trojans such as Grandoreiro or Mekoito/Pazera have expanded their list of victims to include Spanish entities.

After analyzing Mispadu, we have been able to notice that in reality, this trojan could be a variant or an update of Mekoito/Pazera, a Brazilian trojan that shares a large number of functionalities and characteristics, such as the communication protocol with the control server or the malware's mode of execution (both use a malicious DLL loaded with AutoIt scripts).

There are too many details that both bank trojans share, which suggests that the same perpetrators are most likely behind them both. It's possible that Mispadu is a new version with certain improvements that they are still testing and developing to eventually stop using the Pazera version.

The malicious DLL that steals the credentials is developed in Delphi, a language widely used by Brazilian malware developers. However, the user doesn't download the DLL, but rather downloads a file attached to the fraudulent email that is actually a Microsoft installer (MSI) that, when executed, runs a Visual Basic Script (VBS) that ultimately performs a series of checks in the system and downloads the DLL together with the AutoIt executable.

Throughout this document, we are going to see how this bank trojan works, including the method of infection, the strategy it uses to steal the credentials, other interesting functionalities and the communication protocol with the control server.


MISPADU: theft of credentials through keylogging

As with a significant part of the Brazilian banking malware, this one focuses on the theft of credentials through keylogging and includes the option to steal the credentials stored in browsers, although its developers haven't even bothered to implement this functionality and have limited themselves to using legitimate tools.

The list of affected banking entities is also the usual list when it comes to Brazilian banking malware, including entities from Chile, Mexico, Spain, and Portugal, and also including other uncommon entities from other countries such as Italy and Bolivia.


Posted by David García

In his more than 9-year professional career, he has been involved in multiple projects, the most important being in the fields of managed security, anti-fraud and ethical hacking services, and malware analysis. He has contributed his know-how and security-related improvements to a wide variety of fraud and vulnerability analysis products. He currently oversees the smooth running of our different products and researches current fraud developments in order to showcase buguroo overseas as well as providing the development department with feedback on the latest malware and cybercriminal trends.



buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.


Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video