Twenty different spam campaigns relying on the Mispadu banking Trojan were discovered targeting victims in Chile, Mexico, Peru and Portugal.
The findings, which show 90,518 credentials stolen from a total of 17,595 unique websites, come from the Ocelot Team of Latin American cybersecurity firm Metabase Q.
These included a number of government websites: 105 in Chile, 431 in Mexico and 265 in Peru.
“By looking at the techniques, tactics and arsenal used during these campaigns, there is no doubt, it is very similar to the banking Trojan Mispadu, but with new components not seen before,” wrote Metabase Q security researchers Fernando Garcia and Dan Regalado.
According to their recently published advisory, Mispadu features new techniques to facilitate infection and maintain persistence. These include fake certificates to obfuscate initial stage malware and a new .NET-based backdoor enabling screenshots of target victims, as well as the sending of phony pop-up windows to prompt them to click on specific links.
Further, the upgraded version of the Mispadu banking Trojan comes with a new backdoor programmed using Rust that, according to Metabase Q, is still poorly handled by endpoint protection tools.
Read more on Rust here: Agenda Ransomware Switches to Rust to Attack Critical Infrastructure
“Although Mispadu campaigns were able to compromise thousands of users, the infection rate of corporate users (that normally have a combination of an Antivirus and an EDR/XDR) is still very low,” Garcia and Regalado clarified.
“However, organizations need to assume that sooner or later an employee will be compromised, and therefore, work on a strategy that can help to reduce the time to detect and respond to these threats while improving [the] SOC’s monitoring, detection and response capabilities.”
Another backdoor recently used to target Latin American victims is DTrack, which was reportedly deployed by the North Korean Lazarus group.