According to researchers at Metabase Q, Mispadu is a banking trojan that has been linked to multiple spam campaigns targeting countries in Latin America, including Bolivia, Chile, Mexico, Peru, and Portugal. The goal of these campaigns is to steal credentials and deliver other payloads. The activity began in August 2022 and is currently ongoing. Mispadu, also known as URSA, was first documented by ESET in November 2019. Researchers described its ability to perpetrate monetary and credential theft, as well as act as a backdoor by taking screenshots and capturing keystrokes. According to Fernando García and Dan Regalado, "one of their main strategies is to compromise legitimate websites, searching for vulnerable versions of WordPress, to turn them into their command-and-control server to spread malware from there, filtering out countries they do not wish to infect, dropping different type of malware based on the country being infected." It is also said to share similarities with other banking trojans targeting the region, like Grandoreiro, Javali, and Lampion. Attack chains involving the Delphi malware leverage email messages urging recipients to open fake overdue invoices, thereby triggering a multi-stage infection process. Should a victim open the HTML attachment sent via the spam email, it verifies that the file was opened from a desktop device and then redirects to a remote server to fetch the first-stage malware.
top of page
bottom of page