Threat Research

LATAM Malware Variants – 2023 Technical Updates | CrowdStrike

Securonix

LATAM-focused threat actors updated several banking trojans in 2023, enhancing defense evasion, obfuscation, and multi-stage delivery chains. The report highlights SAMBA SPIDER as a Brazil-based actor using Mispadu, and provides IOCs for multiple families across LATAM targets. #SAMBA_SPIDER #Mispadu #Kiron #Caiman #Culebra #Salve #Astaroth #Doit #Grandoreiro #Metamorfo

Keypoints

  • 2023 updates across LATAM malware families focused on stronger defense evasion, new components, and obfuscation methods.
  • Threats selectively target Spanish- and Portuguese-speaking users, using language and geolocation filtering to limit infections.
  • SAMBA SPIDER, a Brazil-based adversary, is linked to deploying Mispadu and harvesting credentials with NirSoft tools.
  • The Mispadu deployment chain evolved to include C++ and HTA droppers, CAPTCHA-based anti-analysis, and D1/D2 downloaders.
  • Grandoreiros consist of Kiron and Caiman; Kiron increasingly uses 64-bit payloads and ZIP delivery, while Caiman uses dead-drops and geolocation filtering.
  • Culebra, Salve, and Astaroth continued activity with Delphi loaders, MSI delivery, steganography, and updated anti-analysis techniques.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The malware downloads and delivers multiple components across stages. “…LATAM malware is composed of several stages intended to deliver a final payload that implements the core functionality. Each threat has at least two components: a downloader and a core payload.”
  • [T1059.007] JavaScript – Downloader components are written in JScript. …downloaders are written in JScript or VBScript (VBS) but can also be written in Delphi.
  • [T1059.005] VBScript – Downloader components are written in VBScript. …downloaders are written in JScript or VBScript (VBS) but can also be written in Delphi.
  • [T1027] Obfuscated/Compressed Files and Information – String encryption is used as an anti-analysis technique. …Most of the analyzed threats use the same XOR-based algorithm to encrypt strings as an anti-analysis technique to hinder static analysis.
  • [T1140] Deobfuscate/Decode Files or Information – Payloads are decrypted at runtime and loaded in memory. Encrypted payloads are decrypted at runtime and loaded in memory by a loader component.
  • [T1497] Virtualization/Sandbox Evasion – CAPTCHA challenges and sandbox checks to avoid analysis. The CAPTCHA does not need to be resolved; when a user clicks any part of the CAPTCHA window, the dropper will continue execution.
  • [T1071.001] Web Protocols – C2 communications use HTTP; data is sent over the web.

Indicators of Compromise

  • [SHA256] Mispadu C++ dropper non-obfuscated version – dbb2e294a65eb3fa1bbe1a25c2baf352a01250d567cfa953d4f942c2b5f08e53
  • [SHA256] Mispadu C++ dropper obfuscated version – d56863d940d5ccd1922bbbdf65471c493701e3b10be5c522851c8efbdaeb9fae
  • [SHA256] Mispadu .NET dropper – ac97f893f8243db3c5ccfbc89d83b97534c1b73d0289ccb61bfb2c035f539126
  • [SHA256] Mispadu HTA dropper – f873062ff206ad60cb4b790c2ba83624c510f15dbc4905d5c96668f87999c16a
  • [SHA256] D2 downloader – 7b6444e5be24ce95cdcac357cf20ddc77abda142a16202ab3677b7d29a1e0da3
  • [SHA256] Kiron downloader – a302c7bb7fdd8ca6c814bafa363953e12e05082c913d50085df8bb2d8d8cec88
  • [Domain] bombafantastic.is-a-financialadvisor[.]com
  • [Domain] cozineros.merseine[.]com
  • [IP] 35.175.173[.]110
  • [IP] 191.55.63[.]128

Read more: https://www.crowdstrike.com/blog/latin-america-malware-update/