Malware Authors started using web browser extensions as an attack surface to distribute malware to steal credit cards and other banking details.
Researchers observed a new dubbed Mispadu aimed to steal monetary details from the users. The malware is written in Delphi language and targets customers in Brazil and Mexico.
Mispadu is a custom malware that aimed at collecting the following information from the victims. The details include the following such as;
- Victim’s computer name
- List of installed Latin American banking applications
- OS version
- Installed security products on the computer
- Language ID
- Check for the presence of Diebold Warsaw GAS Tecnologia application
Common Distribution Methods & Infection Chain
The malware employs two common distribution methods of distribution such as spam and malvertising. Threat actors used Facebook as an advertisement medium offering fake McDonald’s coupons.
Upon clicking coupon links users are taken to a malicious page that downloads a malicious MSI file, regardless of user operating system. The malware infection chain varies between the country, but the logic remains the same.
Following the MSI file it downloads three VBS loaders, the first script unpacks and executes the second script which downloads and executes the third script which is the loader.
The loader script checks for the infected victim machine language and checks whether the script executed in the virtual environments if the virtual environment detected then it quits execution.
If the infected machine is not a virtual machine then it continues by setting up configuration files and downloads the following files as separate ZIP archives.
- Mispadu banking trojan
- The injector (DLL) used to execute it
- Legitimate support DLLs
To maintain persistence it creates a link in the startup folder and executes the injector.
According to ESET analysis on the malware campaign that targets Brazil, the campaign produces more than 100,000 clicks from Brazil itself and they found to be originated from Facebook.
The threat actor uses social media such as Facebook to show fake McDonald’s discount coupons. The fake coupons found to be downloaded form Russian Yandex.Mail platform. ESET said that “the operators created an account on Yandex[.]Mail, sent an email with the malicious coupon as an attachment to themselves and then pointed the potential victim to a direct link to this attachment.”
Fake Chrome Protect Extension
Another way of distribution is through the malicious chrome extension, in this campaign attackers used a malicious chrome extension “Protege seu Chrome” (translation: “Protect your Chrome”) to distribute the malware.
The distribution method differs here, but the infection chain remains the same.
The chrome extension capable contains following components to steal data from the victim machine
- Manipulating windows
- Stealing credit card data
- Stealing banking and Boleto data
The primary goal of this attack campaign is to steal financial details from victims and the campaign primarily targets users in Brazil. Complete list of Indicators of Compromise found in GitHub repository.