Recently, researchers have observed a large number of online fraudulent activities. After analysis, many clues pointed to the URSA/Mispadu banking Trojan, which Trend Micro labeled TrojanSpy.Win32.MISPADU.THIADBO. The researchers said that the Mispadu banking Trojan can steal the user’s credential information after infecting the target user’s system. According to the information disclosed by the researchers, the main target of this wave of attacks is computer equipment with Spanish and Portuguese as the system language, which is very similar to the previous Mispadu attacks.
Trojan activity analysis
For Mispadu’s attack target, Mispadu’s entry vector is spam, which is very similar to many other malware activities. By sending messages related to expired tickets, the attacker creates a seemingly urgent situation for the target user, and then induces the target user to click on the malicious URL and download the malicious .zip file.
This zip file will contain an MSI file (Microsoft installer file) with VBScript. This file has undergone three levels of obfuscation. After deobfuscation, we can view the VBScript script code that executes the AutoIT loader/injector.
The final VBScript script code will obtain the relevant data of the operating system version of the target device. If the script detects the following virtual environments, the script will stop running:
In addition, the script also checks whether the target system uses the following languages:
As mentioned earlier, the attacker will identify whether the target user’s computer uses the above language. If the language ID used by the target system is not the same as in the above list, the attack will stop. If the computer name is “JOHN-PC”, the attack will also stop.
Finally, VBScript will also reside in the AutoIT file, which is responsible for loading the final payload into the memory of the target device, that is, a Delphi file containing the Trojan horse program code and process. This Delphi file will implement a browser overlay (which can be understood as a phishing page) on the bank’s web page and use it to steal the target user’s data.
The code also contains two legitimate tools, namely WebBrowserPassView and Mail PassView under NirSoft. The function of these two tools is to collect user data.
As an institution that directly handles financial business, banks are definitely an attractive target for many cybercriminals who pursue monetary gains. Trojan horse virus is one of the tools used by cybercriminals to steal user credentials of the banking system, and spam is the main way for these malware to spread.
In order to avoid the security impact caused by malicious emails, users should do the following:
Never open links in emails or download email attachments from untrusted sources;
Check whether the sender’s email address is forged;
Check emails for grammatical errors or misspelled words, which are common in spam;
Contact the company that should have sent the email to verify that the information comes from them;
Intrusion threat indicator IoC
hxxp://01fckgwxqweod01.ddns.net hxxp://01odinxqwefck01.ddns.net hxxp://02fckgwxqweod02.ddnsking.com hxxp://02odinxqwefck02.ddnsking.com hxxp://03fckgwxqweod03.3utilities.com hxxp://03odinxqwefck03.3utilities.com hxxp://04fckgwxqweod04.bounceme.net hxxp://04odinxqwefck04.bounceme.net hxxp://05fckgwxqweod05.freedynamicdns.net hxxp://05odinxqwefck05.freedynamicdns.net hxxp://06fckgwxqweod06.freedynamicdns.org hxxp://06odinxqwefck06.freedynamicdns.org hxxp://07fckgwxqweod07.gotdns.ch hxxp://07odinxqwefck07.gotdns.ch hxxp://08fckgwxqweod08.hopto.org hxxp://08odinxqwefck08.hopto.org hxxp://09fckgwxqweod09.myddns.me hxxp://09odinxqwefck09.myddns.me hxxp://10fckgwxqweod10.myftp.biz hxxp://10odinxqwefck10.myftp.biz hxxp://11fckgwxqweod11.myftp.org hxxp://11odinxqwefck11.myftp.org hxxp://12fckgwxqweod12.ddns.net hxxp://12odinxqwefck12.ddns.net hxxp://13fckgwxqweod13.ddnsking.com hxxp://13odinxqwefck13.ddnsking.com hxxp://14fckgwxqweod14.3utilities.com hxxp://14odinxqwefck14.3utilities.com hxxp://15fckgwxqweod15.bounceme.net hxxp://15odinxqwefck15.bounceme.net hxxp://16fckgwxqweod16.freedynamicdns.net hxxp://16odinxqwefck16.freedynamicdns.net hxxp://17fckgwxqweod17.freedynamicdns.org hxxp://17odinxqwefck17.freedynamicdns.org hxxp://18fckgwxqweod18.gotdns.ch hxxp://18odinxqwefck18.gotdns.ch hxxp://19fckgwxqweod19.hopto.org hxxp://19odinxqwefck19.hopto.org hxxp://20fckgwxqweod20.myddns.me hxxp://20odinxqwefck20.myddns.me hxxp://21fckgwxqweod21.myftp.biz hxxp://21odinxqwefck21.myftp.biz hxxp://22fckgwxqweod22.myftp.org hxxp://22odinxqwefck22.myftp.org hxxp://23fckgwxqweod23.ddns.net hxxp://23odinxqwefck23.ddns.net hxxp://24fckgwxqweod24.ddnsking.com hxxp://24odinxqwefck24.ddnsking.com hxxp://25fckgwxqweod25.3utilities.com hxxp://25odinxqwefck25.3utilities.com hxxp://26fckgwxqweod26.bounceme.net hxxp://26odinxqwefck26.bounceme.net hxxp://27fckgwxqweod27.freedynamicdns.net hxxp://27odinxqwefck27.freedynamicdns.net hxxp://28fckgwxqweod28.freedynamicdns.org hxxp://28odinxqwefck28.freedynamicdns.org hxxp://29fckgwxqweod29.gotdns.ch hxxp://29odinxqwefck29.gotdns.ch hxxp://30fckgwxqweod30.hopto.org hxxp://30odinxqwefck30.hopto.org hxxp://31fckgwxqweod31.myddns.me hxxp://31odinxqwefck31.myddns.me hxxp://188.8.131.52/ hxxp://184.108.40.206/gt21.php hxxp://220.127.116.11/k1oa hxxp://18.104.22.168/m/k1