Mispadu banking trojan uses a McDonald’s malvertising tactic to steal payment-card data and online banking information. Mispadu, which was written in Delphi, targets Brazil and Mexico. It uses pop-up windows and contains backdoor functionality.
Ads and email messages spread the Mispadu banking trojan
Mispadu spreads both via email and through sponsored advertisements on Facebook. These offer fake discount coupons for McDonald’s. The call out is: “Use them on any September day! Independence coupons. Get yours now.” When a user clicks the ad, is taken to a fake McDonald’s website with a “I want! Generate coupon” button. Once clicked, it downloads a ZIP archive, containing an MSI installer – database files, used by Windows. This makes then a series of changes that end with the download of the banking trojan.
ESET experts said that “We believe this malware family is targeting the general public. Its main goals are monetary and credential theft.”
Mispadu also has a backdoor functionality. It can take screenshots, capture keystrokes and simulate mouse and keyboard actions. Also, it collects the fingerprinting information about the computer and looks for a popular app that protects access to online banking. At the same time, it monitors the banking apps and the content. Then, it tries to replace any bitcoin wallet with its own. Moreover, it gathers credentials. The malware also uses four legitimate apps, modified to run without a graphical user interface. They extract stored credentials from browsers and email clients.
McDonald’s malvertising distributes a Chrome extension
The McDonald’s malvertising seems to be only the beginning of a series of attacks. The security researchers discovered an open directory on one of the servers Mispadu uses. Also, files connected to a similar campaign were stored there. “Those files can be used to set up a webpage imitating AreaVIP (a tabloid website in Brazil) and to force a fake Adobe Flash Player update on its potential victims.”
You can use our free ad blocker to avoid this danger.