Mispadu
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Mispadu creates a link in the startup folder for persistence.(Citation: ESET Security Mispadu Facebook Ads 2019) Mispadu adds persistence via the registry key `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`.(Citation: Metabase Q Mispadu Trojan 2023) |
| Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
Mispadu’s dropper uses VBS files to install payloads and perform execution.(Citation: SCILabs Malteiro 2021)(Citation: ESET Security Mispadu Facebook Ads 2019) |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Mispadu can steal credentials from Google Chrome.(Citation: SCILabs Malteiro 2021)(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: Metabase Q Mispadu Trojan 2023) |
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Mispadu contains a copy of the OpenSSL library to encrypt C2 traffic.(Citation: Segurança Informática URSA Sophisticated Loader 2020) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Mispadu can log keystrokes on the victim's machine.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: Metabase Q Mispadu Trojan 2023)(Citation: SCILabs URSA/Mispadu Evolution 2023) |
| .002 | Input Capture: GUI Input Capture |
Mispadu can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.(Citation: Segurança Informática URSA Sophisticated Loader 2020)(Citation: SCILabs Malteiro 2021) |
||
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Mispadu uses a custom algorithm to obfuscate its internal strings and uses hardcoded keys.(Citation: ESET Security Mispadu Facebook Ads 2019) Mispadu also uses encoded configuration files and has encoded payloads using Base64.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: SCILabs Malteiro 2021)(Citation: SCILabs Malteiro Threat Overlap 2023) |
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
Mispadu has been spread via malicious links embedded in emails.(Citation: SCILabs Malteiro 2021) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Mispadu can list installed security products in the victim’s environment.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: Metabase Q Mispadu Trojan 2023) |
| Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
Mispadu has been installed via MSI installer.(Citation: SCILabs Malteiro 2021)(Citation: ESET Security Mispadu Facebook Ads 2019) |
| .011 | System Binary Proxy Execution: Rundll32 |
Mispadu uses RunDLL32 for execution via its injector DLL.(Citation: ESET Security Mispadu Facebook Ads 2019) |
||
| Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
Mispadu checks and will terminate execution if the compromised system’s language ID is not Spanish or Portuguese.(Citation: Segurança Informática URSA Sophisticated Loader 2020)(Citation: SCILabs Malteiro 2021) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Mispadu has relied on users to execute malicious files in order to gain execution on victim machines.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: Metabase Q Mispadu Trojan 2023)(Citation: SCILabs Malteiro 2021) |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Mispadu can run checks to verify if it is running within a virtualized environments including Hyper-V, VirtualBox or VMWare and will terminate execution if the computer name is “JOHN-PC.”(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: SCILabs Malteiro 2021) |
References
- ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
- Pedro Tavares (Segurança Informática). (2020, September 15). Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader. Retrieved March 13, 2024.
- SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
- SCILabs. (2023, May 23). Evolution of banking trojan URSA/Mispadu. Retrieved March 13, 2024.
- Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024.
- SCILabs. (2023, October 8). URSA/Mispadu: Overlap analysis with other threats. Retrieved March 13, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.