Rewterz Threat Alert – Mispadu Banking Trojan Resurfaces

Severity

Medium

Analysis Summary

Recent spam campaigns leading to URSA/Mispadu banking trojan detected by researchers have been uncovered. Mispadu malware steals credentials from users’ systems. This attack targets systems with Spanish and Portuguese as system languages. It is also likely that they have targets similar to previous Mispadu attacks where users from Mexico, Spain, Portugal, and other nearby regions were targeted. This behavior is in line with past Mispadu schemes, such as the one where spam emails for fake discount coupons were used as bait.

For this particular case, Mispadu’s entry vector is spam, similar to past campaigns involving the malware. By sending messages that refer to overdue invoices, attackers create a seemingly urgent situation that then persuades receivers to download a .zip file from malicious URLs.

This zip file contains an MSI (Microsoft Installer file) that has a VBScript. This is followed by three layers of obfuscation that, when deobfuscated, reveal the final VBScript file that executes an AutoIT Loader/Injector.

The final VBScript also retrieves data on the operating system version. If the script detects a virtual environment such as the following, the script terminates its execution.

Impact

Credential theft

Indicators of Compromise

Hostname

• 23fckgwxqweod23[.]ddns[.]net
• 01odinxqwefck01[.]ddns[.]net
• 14fckgwxqweod14[.]3utilities[.]com
• 06fckgwxqweod06[.]freedynamicdns[.]org
• 22fckgwxqweod22[.]myftp[.]org
• 19fckgwxqweod19[.]hopto[.]org
• 04odinxqwefck04[.]bounceme[.]net
• 02fckgwxqweod02[.]ddnsking[.]com
• 29odinxqwefck29[.]gotdns[.]ch
• 29fckgwxqweod29[.]gotdns[.]ch
• 11odinxqwefck11[.]myftp[.]org
• 18odinxqwefck18[.]gotdns[.]ch
• 21odinxqwefck21[.]myftp[.]biz
• 02odinxqwefck02[.]ddnsking[.]com
• 30fckgwxqweod30[.]hopto[.]org
• 31odinxqwefck31[.]myddns[.]me
• 20odinxqwefck20[.]myddns[.]me
• 10odinxqwefck10[.]myftp[.]biz
• 16fckgwxqweod16[.]freedynamicdns[.]net
• 03odinxqwefck03[.]3utilities[.]com
• 25fckgwxqweod25[.]3utilities[.]com
• 12odinxqwefck12[.]ddns[.]net
• 24fckgwxqweod24[.]ddnsking[.]com
• 27fckgwxqweod27[.]freedynamicdns[.]net
• 03fckgwxqweod03[.]3utilities[.]com
• 04fckgwxqweod04[.]bounceme[.]net
• 25odinxqwefck25[.]3utilities[.]com
• 20fckgwxqweod20[.]myddns[.]me
• 08fckgwxqweod08[.]hopto[.]org
• 21fckgwxqweod21[.]myftp[.]biz
• 14odinxqwefck14[.]3utilities[.]com
• 10fckgwxqweod10[.]myftp[.]biz
• 15fckgwxqweod15[.]bounceme[.]net
• 11fckgwxqweod11[.]myftp[.]org
• 23odinxqwefck23[.]ddns[.]net
• 19odinxqwefck19[.]hopto[.]org
• 30odinxqwefck30[.]hopto[.]org
• 28odinxqwefck28[.]freedynamicdns[.]org
• 16odinxqwefck16[.]freedynamicdns[.]net
• 01fckgwxqweod01[.]ddns[.]net
• 07odinxqwefck07[.]gotdns[.]ch
• 26fckgwxqweod26[.]bounceme[.]net
• 09fckgwxqweod09[.]myddns[.]me
• 12fckgwxqweod12[.]ddns[.]net
• 08odinxqwefck08[.]hopto[.]org
• 07fckgwxqweod07[.]gotdns[.]ch
• hacktool[.]win32[.]nirsoftpt[.]sm
• 27odinxqwefck27[.]freedynamicdns[.]net
• 31fckgwxqweod31[.]myddns[.]me
• 17odinxqwefck17[.]freedynamicdns[.]org
• 28fckgwxqweod28[.]freedynamicdns[.]org
• 05odinxqwefck05[.]freedynamicdns[.]net
• 15odinxqwefck15[.]bounceme[.]net
• 09odinxqwefck09[.]myddns[.]me
• 26odinxqwefck26[.]bounceme[.]net
• 06odinxqwefck06[.]freedynamicdns[.]org
• 05fckgwxqweod05[.]freedynamicdns[.]net
• 17fckgwxqweod17[.]freedynamicdns[.]org
• 22odinxqwefck22[.]myftp[.]org
• 13odinxqwefck13[.]ddnsking[.]com
• 13fckgwxqweod13[.]ddnsking[.]com
• 18fckgwxqweod18[.]gotdns[.]ch
• 24odinxqwefck24[.]ddnsking[.]com

MD5

• 7396051fd6575180166d66ddf0a9295b
• 309335fe1e4f27029a8ec6087e0de1f4
• 3d709171fed29eab5d05a20f0b8fb2c8
• 053778713819beab3df309df472787cd
• 54e8ded7b148a13d3363ac7b33f6eb06
• 0875d00b60b9d7006f4e71943ee4c420
• 3be539aa8d421d09cef27723a98d2d83
• a4f066196b1009c42c1dea74f857180d
• bda287c97d9373052f347ac0ccedfdf8
• 2d2f3500836ed60303103bafac6357a3

SHA-256

• 779e52e5dd7f28a6d51a333f651da4e50ff0aabdd99a4f341159ba76363b4c10
• 23892054f9494f0ee6f4aa8749ab3ee6ac13741a0455e189596edfcdf96416b3
• 048afd4276b67b78fdb03714c3bcc766f83407ea4012aa6eae9de5c7cb2d87b8
• 58fae847c81a61fe43b12885b9886303e58ad4f96d53393a146999ad4d700c4f
• 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
• 0d57869a4d6509a13ff48af46492f1a8bb2ee33f5c01897e6ccdc4dd29b1cc85
• de7168cd978a33926ea7ffad027cc151aa1ea2d2f2581da3ce4fe22bad25c904
• 1590e809dbad3c77d555e1354125537e80294d0847e7867cc8a9b5893eb2269f
• 5b91c8acffe1980653718a493e24bde7211ee825ea2947df54c03e9733d61a70
• d1fb8a5061fc40291cc02cec0f1c2d13168b17d22ffcabea62816e14ed58e925
• 2f21d474ca430cab72f924117ace06d8c5b42377a993fe8f6fd4c52733e04575
• 93488eab403fafb3d8e10d38c80f0af745e3fa4cf26228acff24d35a149f6269
• f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
• fe8c60df1fbc9c983ae135829980874e6d793631684d40f93d2321b6d687cff6
• 073f9d7bbdca94b3e6f5e572522e8ed17629abf6ef27f0e6a65895a107b52881
• fb91bdd5ee38a3e163231fa78fd85e2da890e4e116ac530f2b4879e0e50a76a5
• c96b32d44a44cd6f1496f88bc22739b9dd885b56af05ae925fbb57706ad48420

SHA1

• 706e259e20fc4bfbc3ada99e76e29885748d56e2
• daa4780e80cb3038fc9830a30ee5f474a3b1b65d
• 2a795c7737a53b6437f8c3dfcaa4fd23b47b85ae
• 3fc7e6a993d0acd8aa02c9032419588c143df759
• 83c6832a871398fc925bd6e9f387dcb43a99b1e2
• 99c7b5827df89b4fafc2b565abed97c58a3c65b8
• 7c8066572751aaf40a2d67ed69af62612fcd23f3
• dd4b7d4d0415dd365f4ecd614674769131f4d853
• 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
• 91d9257eef046890b02b4f5234ba4a260c509aa3

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on links/attachments sent by unknown senders.