惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

美团技术团队
D
DataBreaches.Net
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
D
Docker
N
Netflix TechBlog - Medium
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
C
Check Point Blog
腾讯CDC
Stack Overflow Blog
Stack Overflow Blog
V
Visual Studio Blog
IT之家
IT之家
月光博客
月光博客
U
Unit 42
K
Kaspersky official blog
T
Threatpost
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
GbyAI
GbyAI
P
Proofpoint News Feed
Last Week in AI
Last Week in AI
云风的 BLOG
云风的 BLOG
酷 壳 – CoolShell
酷 壳 – CoolShell
I
InfoQ
Engineering at Meta
Engineering at Meta
Recorded Future
Recorded Future
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
S
Security @ Cisco Blogs
MyScale Blog
MyScale Blog
大猫的无限游戏
大猫的无限游戏
Security Archives - TechRepublic
Security Archives - TechRepublic
Webroot Blog
Webroot Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Hacker News - Newest:
Hacker News - Newest: "LLM"
S
Schneier on Security
S
Secure Thoughts
The Register - Security
The Register - Security
B
Blog RSS Feed
The Last Watchdog
The Last Watchdog
P
Palo Alto Networks Blog
爱范儿
爱范儿
B
Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
N
News and Events Feed by Topic
阮一峰的网络日志
阮一峰的网络日志
L
LINUX DO - 热门话题
C
Cisco Blogs
Spread Privacy
Spread Privacy
F
Full Disclosure
博客园 - 聂微东
T
The Blog of Author Tim Ferriss

Threat Walkthroughs – ThreatDown by Malwarebytes

Fake Booking.com emails target hotels Phishers go “interplanetary” to get company login credentials “Enhanced Bonus” QR code phish steals Microsoft credentials USB worms: Still wriggling on to under-protected computers after all these years How a clipboard hijacker delivers Lumma Stealer - ThreatDown by Malwarebytes Web shop spreads SocGolish malware and steals credit cards Clipboard hijacker tries to install a Trojan A visit to a print shop put a password stealer on a co-worker’s laptop Watch out! Mobidash Android adware spread through phishing and online links
Analyzing a Mispadu Trojan’s attack chain
Pieter Arntz · 2025-02-11 · via Threat Walkthroughs – ThreatDown by Malwarebytes

We tracked a Mispadu banking Trojan infection from the email attachment to the payload.

The banking Trojan Mispadu (also referred to as Ursa) uses a lot of different infection chains. One that has been notoriously hard to unravel tricks users into executing a remote JavaScript file.

We found an example targeting Mexican companies with a fake invoice, a PDF email attachment called Factura.pdf.

The invoice used as a lure for Mispadu
The invoice used as a lure for Mispadu

The blue download button offers the invoice in either PDF or XML format. However, if the target clicks the download link, they get a ZIP file called ❉𝔸𝕣𝕔𝕙𝕚𝕧𝕠𝕤 𝔸𝕕𝕛𝕦𝕟𝕥𝕠𝕤❉_⑦①④⑥⑥⑦⑥⑧④.zip, containing an HTA file called ❉𝔸𝕣𝕔𝕙𝕚𝕧𝕠𝕤 𝔸𝕕𝕛𝕦𝕟𝕥𝕠𝕤❉_⑨⑤④②①②③.hta.

The content of the HTA file itself is very simple—a basic HTML document that includes a remote JavaScript file.

The HTA file includes a remote JavaScript
The HTA file includes a remote JavaScript

At first, this is where our search ended, because the secureserver.net account had been suspended, blocking access to the JavaScript. I wonder why.

However, we were able to obtain the JavaScript through another channel, and established that it creates a randomly named VBS script, by executing this command:

The JavaScript file runs a command that creates a VBS script
The JavaScript file runs a command that creates a VBS script

The VBS file, in this case FtRBZ.vbs, is located in the %TEMP% foler and is heavily obfuscated. Its only goal is to create the final payload, which is also randomly named, but in our case was called KrgIn.exe.

Effectively the target has now infected their system with the Mispadu banking Trojan.

Mispadu has been around since at least 2019 and historically targets victims in Spanish and Portuguese-speaking Latin American countries. It uses a malware-as-a-service (MaaS) business model and is capable of stealing credentials from mail clients, stealing financial data, capturing and replacing Bitcoin wallet data in the clipboard, stealing credentials from Google Chrome, logging keystrokes on a victim’s machine, and stealing banking credentials.

Under normal circumstances, Mispadu will terminate if it finds the language ID of the affected system is not Spanish or Portuguese (but don’t rely on that to protect you). It also terminates if it finds out it is running in a virtualized environment, likely to avoid reverse engineering.

The malware and the infection chain are under constant development. In other infection chains, we have seen Mispadu use PowerShell and even AutoIt, which ticks all the scripting engine boxes we advised you to keep under control, with ThreatDown’s Application Block.