Recent spam campaigns leading to URSA/Mispadu banking trojan detected by researchers have been uncovered. Mispadu malware steals credentials from users’ systems. This attack targets systems with Spanish and Portuguese as system languages. It is also likely that they have targets similar to previous Mispadu attacks where users from Mexico, Spain, Portugal, and other nearby regions were targeted. This behavior is in line with past Mispadu schemes, such as the one where spam emails for fake discount coupons were used as bait.
For this particular case, Mispadu’s entry vector is spam, similar to past campaigns involving the malware. By sending messages that refer to overdue invoices, attackers create a seemingly urgent situation that then persuades receivers to download a .zip file from malicious URLs.
This zip file contains an MSI (Microsoft Installer file) that has a VBScript. This is followed by three layers of obfuscation that, when deobfuscated, reveal the final VBScript file that executes an AutoIT Loader/Injector.
The final VBScript also retrieves data on the operating system version. If the script detects a virtual environment such as the following, the script terminates its execution.