The Mispadu banking trojan has been stealing payment details and online bank information via McDonald’s malvertising.
According to researchers at ESET, Mispadu is a malware family written in Delphi that targets Brazil and Mexico.
Similar to other Latin American banking trojans, Mispadu displays fake pop-up windows and attempts to persuade potential victims into providing their sensitive information.
Mispadu can also take screenshots, simulate mouse and keyboard actions, and capture keystrokes. In addition, it can update itself via a Visual Basic Script (VBS) file.
Researchers, found that Mispadu has been spreading via spam emails. The McDonald’s malvertising offers fake discount coupons – to which once a user clicks on the ad, they are redirected to a fake McDonald’s website displaying a button that says “I want!/ Generate coupon.”
When the user clicks on the button, it downloads a ZIP archive, containing an MSI installer, onto the victim’s device
The researchers explained: “When the potential victim executes the MSI installer, a chain of three subsequent VBS scripts follows. The first script (unpacker) decrypts and executes the second script (downloader) from its internal data…The downloader script retrieves the third script (loader) and executes it.”
The loader script checks the language identifier of the victim’s machine to ensure it really comes from the country targeted by the current campaign i..e Brazil or Mexico, respectively. The loader script can also detect some virtual environments. If this is not found, or the desired locale is not identified, the loader quits.
However, if there is a match then the script loads three things; Mispadu banking trojan, a DLL injector used for trojan’s execution, and legit supporting DLLs.
“Finally, the loader script sets up persistence by creating a link in the startup folder and executing the injector. This is done via rundll32.exe by calling an exported function of the injector DLL whose name comes from one of the previously set up configuration files. The injector locates the encrypted banking trojan, then decrypts and executes it.”
Once a device is infected, Mispadu will use fake pop-up windows to encourage users to reveal sensitive information.
The information Mispadu collects from its victims includes the following; OS version, computer name, language ID, Diebold Warsaw GAS Tecnologia installation check, list of installed common Latin American banking applications, and list of installed security products.
The researchers discovered that the Mispadu campaign produced almost 100,000 clicks exclusively from Brazil. The clicks coming from Android can be explained by the fact that advertisement is shown on Facebook regardless of the user’s device.
The post #Privacy: Banking trojan uses McDonald’s malvertising to infect victims appeared first on PrivSec Report.