惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Tenable Blog
Last Week in AI
Last Week in AI
P
Proofpoint News Feed
Engineering at Meta
Engineering at Meta
H
Help Net Security
F
Fortinet All Blogs
MyScale Blog
MyScale Blog
宝玉的分享
宝玉的分享
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
博客园 - 司徒正美
量子位
N
Netflix TechBlog - Medium
Apple Machine Learning Research
Apple Machine Learning Research
小众软件
小众软件
Recorded Future
Recorded Future
博客园 - 三生石上(FineUI控件)
Vercel News
Vercel News
aimingoo的专栏
aimingoo的专栏
I
InfoQ
Microsoft Security Blog
Microsoft Security Blog
Scott Helme
Scott Helme
The Last Watchdog
The Last Watchdog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
IT之家
IT之家
AI
AI
WordPress大学
WordPress大学
Security Archives - TechRepublic
Security Archives - TechRepublic
Google Online Security Blog
Google Online Security Blog
U
Unit 42
V2EX - 技术
V2EX - 技术
MongoDB | Blog
MongoDB | Blog
Schneier on Security
Schneier on Security
博客园 - Franky
H
Heimdal Security Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Jina AI
Jina AI
W
WeLiveSecurity
P
Privacy & Cybersecurity Law Blog
Cloudbric
Cloudbric
B
Blog RSS Feed
N
News | PayPal Newsroom
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
I
Intezer
Hacker News - Newest:
Hacker News - Newest: "LLM"
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园_首页
罗磊的独立博客
H
Hackread – Cybersecurity News, Data Breaches, AI and More
雷峰网
雷峰网

Threat Walkthroughs – ThreatDown by Malwarebytes

Fake Booking.com emails target hotels Phishers go “interplanetary” to get company login credentials “Enhanced Bonus” QR code phish steals Microsoft credentials USB worms: Still wriggling on to under-protected computers after all these years How a clipboard hijacker delivers Lumma Stealer - ThreatDown by Malwarebytes Web shop spreads SocGolish malware and steals credit cards Clipboard hijacker tries to install a Trojan A visit to a print shop put a password stealer on a co-worker’s laptop Watch out! Mobidash Android adware spread through phishing and online links
Analyzing a Mispadu Trojan’s attack chain
Pieter Arntz · 2025-02-11 · via Threat Walkthroughs – ThreatDown by Malwarebytes

We tracked a Mispadu banking Trojan infection from the email attachment to the payload.

The banking Trojan Mispadu (also referred to as Ursa) uses a lot of different infection chains. One that has been notoriously hard to unravel tricks users into executing a remote JavaScript file.

We found an example targeting Mexican companies with a fake invoice, a PDF email attachment called Factura.pdf.

The invoice used as a lure for Mispadu
The invoice used as a lure for Mispadu

The blue download button offers the invoice in either PDF or XML format. However, if the target clicks the download link, they get a ZIP file called ❉𝔸𝕣𝕔𝕙𝕚𝕧𝕠𝕤 𝔸𝕕𝕛𝕦𝕟𝕥𝕠𝕤❉_⑦①④⑥⑥⑦⑥⑧④.zip, containing an HTA file called ❉𝔸𝕣𝕔𝕙𝕚𝕧𝕠𝕤 𝔸𝕕𝕛𝕦𝕟𝕥𝕠𝕤❉_⑨⑤④②①②③.hta.

The content of the HTA file itself is very simple—a basic HTML document that includes a remote JavaScript file.

The HTA file includes a remote JavaScript
The HTA file includes a remote JavaScript

At first, this is where our search ended, because the secureserver.net account had been suspended, blocking access to the JavaScript. I wonder why.

However, we were able to obtain the JavaScript through another channel, and established that it creates a randomly named VBS script, by executing this command:

The JavaScript file runs a command that creates a VBS script
The JavaScript file runs a command that creates a VBS script

The VBS file, in this case FtRBZ.vbs, is located in the %TEMP% foler and is heavily obfuscated. Its only goal is to create the final payload, which is also randomly named, but in our case was called KrgIn.exe.

Effectively the target has now infected their system with the Mispadu banking Trojan.

Mispadu has been around since at least 2019 and historically targets victims in Spanish and Portuguese-speaking Latin American countries. It uses a malware-as-a-service (MaaS) business model and is capable of stealing credentials from mail clients, stealing financial data, capturing and replacing Bitcoin wallet data in the clipboard, stealing credentials from Google Chrome, logging keystrokes on a victim’s machine, and stealing banking credentials.

Under normal circumstances, Mispadu will terminate if it finds the language ID of the affected system is not Spanish or Portuguese (but don’t rely on that to protect you). It also terminates if it finds out it is running in a virtualized environment, likely to avoid reverse engineering.

The malware and the infection chain are under constant development. In other infection chains, we have seen Mispadu use PowerShell and even AutoIt, which ticks all the scripting engine boxes we advised you to keep under control, with ThreatDown’s Application Block.