Labs - Malware Analysis

MISPADU: theft of credentials through keylogging

Written by David García | Jan 25, 2021 12:50:58 PM

Since June of this year and throughout the last quarter of the year, a banking malware for Windows systems has been increasing its number of victims and stealing their banking credentials. Mispadu is a Brazilian banking trojan that has been around since the end of 2019, however, it didn't become very active until this winter.

Between June and September of this year, new campaigns have been launched for this malware, with the most noteworthy part being the increase in the number of affected entities. In its beginnings, it was focused on stealing credentials from Latin American banking entities, however, in these most recent campaigns, its authors have seemed to also be interested in the Spanish market, having added several Spanish and Portuguese entities to the list.

Apparently, the authors of Brazilian bankers have always been interested in victims from Latin America, but only in the last year have they shown greater interest in Spanish entities. Mispadu is simply another of the Brazilian trojans that has spread to Spain; this same year, bank trojans such as Grandoreiro or Mekoito/Pazera have expanded their list of victims to include Spanish entities.

After analyzing Mispadu, we have been able to notice that in reality, this trojan could be a variant or an update of Mekoito/Pazera, a Brazilian trojan that shares a large number of functionalities and characteristics, such as the communication protocol with the control server or the malware's mode of execution (both use a malicious DLL loaded with AutoIt scripts).

There are too many details that both bank trojans share, which suggests that the same perpetrators are most likely behind them both. It's possible that Mispadu is a new version with certain improvements that they are still testing and developing to eventually stop using the Pazera version.

The malicious DLL that steals the credentials is developed in Delphi, a language widely used by Brazilian malware developers. However, the user doesn't download the DLL, but rather downloads a file attached to the fraudulent email that is actually a Microsoft installer (MSI) that, when executed, runs a Visual Basic Script (VBS) that ultimately performs a series of checks in the system and downloads the DLL together with the AutoIt executable.

Throughout this document, we are going to see how this bank trojan works, including the method of infection, the strategy it uses to steal the credentials, other interesting functionalities and the communication protocol with the control server.