The following post aims to analyze the modus operandi, infrastructure, tools, the malware used, and the TTPs of the group of cybercriminals named Malteiro by SCILabs, which operates and distributes the URSA/Mispadu banking trojan. On the other hand, an investigation of the most recent banking trojan distribution campaigns is presented, showing the potential risk for the information of Mexican and LATAM bank account holders. Although URSA/Mispadu campaigns have been launched since the end of 2019, it has undergone various modifications over time to turn it into a more sophisticated and difficult to detect malware. Based on research by SCILabs, an update campaign for the banking trojan was identified and is currently active. This malware reuses and improves some TTPs used by its first versions, which were previously analyzed in some security blogs.
According to the evidence compiled by SCILabs, the campaign is mainly directed at USA, Mexico, LATAM and other countries of the European, African, and Asian continent. Some studies suggest that URSA/Mispadu is one of the banking trojans that most affects the region.
Based on the information collected and analyzed by SCILabs from closed and public sources, the timeline of the identified campaigns is shown below:
During the investigation SCILabs identified that the phishing campaigns are mainly directed at Mexico. Based on SCILabs telemetry, the top industries that could potentially be targeted by these campaigns are listed below:
- Financial industry
- Food industry
- Communication industry
- Health industry
- Retail industry
- Manufacture industry
- Service industry
- Government industry
Threat context Malteiro is a group of cybercriminals who operate, manage, and sell the URSA/Mispadu banking trojan, as well as the tools for installation and configuration. With the information obtained from the research conducted by SCILabs, it is possible to determine that cybercriminals use the Malware-as-a-Service (MaaS) business model with URSA/Mispadu.
Likewise, they oversee the creation of campaigns and other techniques for the distribution of malware as can be seen in the following image.
URSA/Mispadu is a family of trojan-type banking malware mainly targeting Spain and Mexico which was discovered in November 2019. The malware was written in Delphi and has different capabilities such as: screen capture, simulate mouse and keyboard actions, as well as log keystrokes. Malware can be updated through a Visual Basic Script (VBS) file that is automatically downloaded and executed. During the infection process, the malware collects the following data from the victim’s computer:
- Operating system version
- Computer name
- Computer language
- Installed antivirus
URSA/Mispadu’s entry vector is spam and malvertising, like other active campaigns in the region. Fake discount coupons are used in campaigns, as well as malicious emails refer to overdue invoices, attackers create a seemingly urgent situation that then persuades recipients to download a .zip file of malicious URLs. Social engineering as a method of spreading malware Apocryphal companies used to create malware In the investigation process, SCILabs observed that the cybercriminal uses apocryphal e-commerce companies that are used to distribute URSA/Mispadu malware through fake invoices and steal customer banking information. Next, one of the sites called “baratomx” that is a fake e-commerce page created to distribute malware is shown:
Fake coupons, giveaways and prizes based on the impersonation of banks in Mexico Additionally, the cybercriminal has shared on social networks such as Facebook, fake McDonald’s discount coupons or giveaways for vehicles that lead to malware pages where the brand impersonation of banks is used.
Among the malvertising campaigns identified by SCILabs, there is also one related to an alleged giveaway of 50 iPhones which was also distributed through social networks. Below is an analysis of each of the malware campaigns managed by cybercriminals:
In this campaign URSA/Mispadu operators placed sponsored ads on Facebook offering fake discount coupons for McDonald’s. In case of clicking on one of the advertisements, the potential victim is directed to one of the apocryphal web pages which, upon clicking the button suggested by the advertisement, will download a ZIP file containing an MSI installer. Occasionally, this ZIP file will also include legitimate software such as Mozilla Firefox or PuTTY, but they are mere decoys and are not used at all. The cybercriminal compiled two different versions of the banking Trojan depending on the country it is attacking. In addition to that, they decided to use different installers and later stages for each country attacked.
This campaign was characterized by the URSA/Mispadu operators sending phishing emails of apocryphal overdue invoices, Mexico being the most affected country; in countries such as Portugal and nearby countries, phishing campaigns were sent impersonating various entities such as Vodafone or the Portuguese judicial police. In this campaign the cybercriminals persuade the recipients of the emails to download a .zip file of malicious URLs, the .zip file, as in the previous campaign, contains an MSI installer that contains a Visual Basic Script. This is followed by the download of two more droppers and three obfuscation layers that, when removed, produce the final .vbs file that runs an AutoIT Loader that loads a Delphi binary containing the Trojan’s code and processes into memory. The malware uses names and logos of legitimate banks to create windows and overlay the victim’s browser to steal their bank details. The binary also uses 2 legitimate tools, NirSoft’s WebBrowserPassView and Mail PassView, which are used to steal the credentials stored in the victim’s browsers and email clients. Some of the functionalities found in this version of the Trojan are that if it detects a virtual environment such as: Hyper-V, VirtualBox or VMWare, the script ends the execution, it also verifies that the victim’s computer has a code corresponding to the languages: Spanish – Spain, Brazilian Portuguese, Spanish – Mexico, Portuguese – Portugal or Spanish, if the system uses a language ID different from those listed, the attack process stops, also the attack ends if the computer name is “JOHN-PC“. Technical Flow
Based on the analysis of the entire campaign, SCILabs identified that with respect to previous URSA/Mispadu campaigns, the TTPs used by cybercriminals have evolved, the actions that cybercriminals take to infect computers are the following: The cybercriminal group behind the campaign has a large infrastructure for the distribution, storage and management of computers infected with the URSA/Mispadu banking trojan. After the phishing email is sent and downloaded and executed by the victim, another .vbs file is downloaded that makes a GET request to an .xml file that contains another .vbs code. This code works as a dropper to obtain the files: Autoit script and an executable loader. The aim is to inject a malicious DLL corresponding to URSA/Mispadu into memory and download the necessary plug-ins to carry out its malicious activity. Technical Flow The victim receives the phishing email related to an invoice which contains a compressed file attached. If the victim extracts and runs it, the infection flow continues as shown in the following diagram.
As in the previous campaign, to create, download and process the infection artifacts, the dropper, as in the version of the second campaign, verifies that the language code of the victim machine is Spanish – Spain, Spanish – Mexico, Portuguese Brazil, Portuguese – Portugal or Spanish, and in addition, that it does not have the name “JOHN-PC” and verify that it is not running in a virtual machine, as shown in the following diagram.
Once the final artifacts are generated: Autoit loader, autoit script with embedded malicious DLL and the random extension file, the ShellExecute method is called by the malicious script and loads the Autoit script with the loader to continue the infection. After the malicious DLL is loaded into memory, two compressed folders are downloaded, containing: ssleay32.dll and libeay32.dll that are associated with the OpenSSL Toolkit used by the trojan. In the last stage, this malware can create apocryphal banking windows superimposed on the browser when victims enter banking portals to steal their credentials, in addition the Trojan uses two legitimate tools, WebBrowserPassView and Mail PassView, that are used to extract the stored credentials in browsers and e-mail, finally the data is sent to the C2 server. When the trojan detects that a victim enters a banking portal, it establishes a connection with the C2 server, with which the cybercriminal gains control of the compromised computer, allowing him to use different commands on demand.
Based on the research carried out by SCILabs, the following PRE matrix was obtained
|Reconnaissance||T1592.002-Software||T1592.004-Client Configurations||T1589.001-Credentials||T1589.002-Email Address||T1598.003-SpearPhishingAttachment|
|Resource Development||T1583.001-Domains||T1583.003-Virtual Private Server||T1583.004-Server||T1586.001-SocialMediaAccounts||T1586.002-Email Accounts||T1587.001-Malware||T1585.001-Social Media Accounts||T1608.001-Upload Malware||T1608.002-Upload Tool||T1608.005-Link Target|
From the analysis of the artifacts and TTPs, the following ATT&CK matrix is obtained:
|Initial Access||Execution||Persistence||Defense Evasion||Credential Access||Discovery||Collection||C&C||Exfiltration|
|T1566.002-Phishing: Spearphishing Link||T1059.005-Command and Scripting Interpreter: Visual Basic||T1176-Browser Extensions||T1140-Deobfuscate/Decode Files or Information||T1552.001-Unsecured Credentials: Credentials in Files||T1083-File and Directory Discovery||T1056-Input Capture||T1573-Encrypted Channel||T1041-Exfiltration Over C2 Channel|
|T1106-Native API||T1547.001-Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||T1036-Masquerading||T1081-Credentials in Files||T1057-Process Discovery||T1115-Clipboard Data||T1132.002-Non-Standard Encoding|
|T1204.002–Malicious File||T1027-Obfuscated Files or Information||T1552.002-Unsecured Credentials: Credentials in Registry||T1518.001-Software Discovery: Security Software Discovery||T1113-Screen Capture||T1001-Data obfuscation|
|T1055.001-Dynamic-link Library Injection||T1555.003-Credentials from Web Browsers||T1010-Application window discovery||T1560-Archive Collected Data|
|T1497-Virtualization/Sandbox Evasion||T1082-System Information Discovery||T1005-Data from local system|
|T1614-System Location Discovery||T1074-Data Staged|
- Constantly carry out awareness campaigns about the different techniques of social engineering and phishing at all levels of the organization.
- Avoid downloading and executing suspicious email attachments, especially if they have extensions: “.exe”, “.vbs”, “.jar” and “.msi”.
- Create strong password policies and apply the principle of least privilege for users within the organization.
- Keep all computer equipment in the organization updated to the latest version of the operating system and security updates applied.
- Consider the indicators of commitment shared below.
URSA banking trojan D2099233A72C282E64E85ABCDDB284CDFFC18B24E088947254F9B55670F52F83 87340165EA0FB1E06364AA479ACB2FF104CEDDEAACE0E548F687B2960A28ED36 09886CE8106CD07A3694F221DD19899AA29A72826F2FEE8A8BAA1B044704737A 91A687ED27F469797317D82B8EB2BCEB4DFC84973B4BFB00F15E951DFDAEA9AE 0916767D0EAA4E3E94DAF740B621C62258832F3F811FE4FA1C9536227FCBEA17 C9E22D965771D8A8005D79B771AF602B95C14B0E23187ED4F718FFC0E87B26E2 4BDA083A30A82698F57F672C5A333ADC84F37FE53D8FED6D8AA7AA31ECAC02FC 02F541522898F87AA36552EAC38A70DC8A23B59E2BF6D4F65EE55485B05EDAAB