Threat Research

Breaking Boundaries: Mispadu’s Infiltration Beyond LATAM

Morphisec

Morphisec Labs observed an expanded Mispadu (aka URSA) campaign that moved beyond LATAM into Europe and targeted multiple industries, delivering multi-stage payloads via phishing PDFs and URL shorteners that redirect to attachments hosted on Yandex.Mail. The infection chain uses obfuscated MSI/HTA installers, multi-stage VB scripts, AutoIT plus a loader DLL to decrypt and inject the final payload, which harvests credentials and exfiltrates them to C2 servers. #Mispadu #Yandex.Mail

Keypoints

  • Mispadu (URSA) phishing campaign expanded from LATAM to include European targets while Mexico remains heavily targeted.
  • Initial lure: PDF invoice containing a “View Full Invoice” button that uses a URL shortener (insprl.com) to redirect to a Yandex.Mail attachment hosting the ZIP payload.
  • ZIP contains an MSI or HTA that triggers a DLL export to decrypt and drop a first-stage VB script; the VB chain executes largely in memory and is heavily obfuscated.
  • Second-stage VB performs anti-VM and locale checks (BIOS/manufacturer, OS language codes, and hostname checks like “JOHN-PC”) before downloading three components: an encrypted payload, a compiled AutoIT script, and a legitimate AutoIT executable.
  • The AutoIT executable runs the compiled script which loads an injector DLL into memory; the DLL decrypts and injects the final Mispadu payload into attrib.exe or RegSvcs.exe.
  • The final payload uses NirSoft tools (WebBrowserPassView, Mail PassView) and foreground-window monitoring for >200 targeted services to harvest credentials, which are exfiltrated to a stable C2; over 60k credential files were observed on one C2.
  • Two C2s are used: one for fetching components (frequently changed) and one more consistent server for credential exfiltration.

MITRE Techniques

  • [T1566] Phishing – Initial vector is a phishing email with a PDF attachment (Email body translated: ‘The XML and PDF of your invoice are available.’)
  • [T1204] User Execution – Victim interaction triggers payload download by clicking the PDF button (‘View Full Invoice’ (translated) button in the PDF will initiate the download)
  • [T1027] Obfuscated Files or Information – MSI/HTA and multiple stages use the same decryption algorithm and obfuscation (‘The export function decrypts a string… The decryption algorithm used… is the same one used throughout the entire campaign.’)
  • [T1059] Scripting – Multiple VBScript stages are executed in memory to fetch and run subsequent components (‘The downloaded script is the second stage VB script, evaluated and executed in memory.’)
  • [T1562] Defense Evasion – Anti-VM and environment checks are performed (queries of model, manufacturer, BIOS and checks like computer name not equal to ‘JOHN-PC’)
  • [T1071] Command and Control – Components and exfiltration use HTTP(S) endpoints and hosted attachments (example fetch URL: ‘https://webattach.mail.yandex[.]net/message_part_real/?sid=&name=’)
  • [T1552] Credentials from Web Browsers and Email Clients – Uses NirSoft utilities to extract stored credentials (‘utilize NirSoft’s legitimate WebBrowserPassView and Mail PassView to extract browser and email client credentials’)
  • [T1083] Discovery – Payload monitors foreground windows for bank, crypto exchange and finance-related strings to find targets (‘actively monitors foreground windows of websites and applications for specific strings, including bank names, cryptocurrency exchanges, finance-related applications, and email clients. Over 200 such services are monitored’)
  • [T1041] Exfiltration – Extracted credentials are sent to the attacker’s C2 server (‘Extracted credentials are sent to the attacker’s C2 server’ and ‘there are more than 60K files in the C2 server.’)

Indicators of Compromise

  • [PDF Hashes] Malicious invoice PDFs – d0239871a9979bea53d538ca2ef680f433699b749600ab2e93f318fc31a4c33f, b6faf2e8ded0ec241c53ed1462032e43d32671877773c7def6f69c9286403fde, and 2 more hashes
  • [MSI Hashes] Installer samples used to drop VB script – eda8af62c033636d38f9e70e77b011df89c48feb8a393415a7752b7759dcef4c, 50687300a0d51a86bd5c858b6ee6fa0db171926da7fcbc8ac93f9a336e709443, and multiple others
  • [VBS Hashes] First/second-stage VB scripts – 1266c3ffada5bf0620bf64a60c24457f14468c26996af6d321d7ca2cb3977f37, 4c6f9607aeb8da098fd2e802a0722a3f1ee2c1d4cbe5cc4cbd25832367424162, and additional hashes
  • [Domains / C2] Payload/C2 infrastructure – contdskl.bounceme[.]net (download host), 160.126.168[.]184.host.secureserver.net, betmaniaplus[.]com, and others like arq.carpedum[.]com
  • [URLs / Redirectors] Delivery redirectors and hosts – insprl.com (URL shortener used in PDF), https://webattach.mail.yandex[.]net/message_part_real/?sid=&name= (Yandex attachment hosting)
  • [Bitcoin Addresses] Threat actor payment addresses observed – bc1qn5fwarp0wesjahyaavj3zpzawsh3mp0mpuw94n, bc1qzcdrhp30eztexrmyvz5dwuyzzqyylq5muuyllf

Recently observed technical procedure (rewritten):

Mispadu’s chain begins with a phishing PDF (translated message: “The XML and PDF of your invoice are available.”) containing a “View Full Invoice” link that uses a URL shortener (insprl.com) to redirect victims to a ZIP attachment hosted on Yandex.Mail. The ZIP holds either an MSI or an HTA; the MSI invokes a DLL export under CustomActions to decrypt and run a command that drops a first-stage VBScript into a public folder, while the HTA executes a similar command path. That VB script downloads and evaluates a heavily obfuscated second-stage VB in memory; the VB sets a User-Agent requirement (contains “(MSIE)”) before the C2 serves subsequent payloads.

The second-stage VB implements anti-analysis checks (BIOS/manufacturer queries, OS language code comparisons, and hostname checks such as ensuring the machine name is not “JOHN-PC”) and, if checks pass, fetches three components: an encrypted archive that will become the final Mispadu payload, a compiled AutoIT script (fetched via an indexed naming scheme), and a legitimate AutoIT executable used to run the script. The AutoIT script loads an injector DLL into memory and invokes its export, and that DLL decrypts the final payload and injects it into a legitimate process (attrib.exe or RegSvcs.exe) to achieve execution and stealth.

The deployed payload uses NirSoft’s WebBrowserPassView and Mail PassView to extract browser and email client credentials, monitors foreground windows for over 200 targeted banking/crypto/finance application strings, and exfiltrates harvested credentials to a dedicated C2 (a separate, more persistent server). Morphsiec’s analysis found credential records on the C2 dating back to April 2023, with over 60K files observed; a separate, frequently rotated C2 is used for fetching components.

Read more: https://blog.morphisec.com/mispadu-infiltration-beyond-latam

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint