More than 90,000 bank account credentials across 17,500 websites in Mexico, Chile, Bolivia, Peru, and Portugal have been exfiltrated by the Mispadu banking trojan, also known as URSA, in various spam campaigns that have been ongoing since August, according to The Hacker News.
Aside from facilitating monetary and credential exfiltration, Mispadu also enables further payload delivery, as well as features similarities with the Lampion, Grandoreiro, and Javali banking trojans that commonly target Latin America, a report from Metabase Q's Ocelot Team showed.
Threat actors leveraging Mispadu have been using phishing emails involving fraudulent overdue invoices, which when opened would prompt malware deployment.
"One of their main strategies is to compromise legitimate websites, searching for vulnerable versions of WordPress, to turn them into their command-and-control server to spread malware from there, filtering out countries they do not wish to infect, dropping different type of malware based on the country being infected," said researchers.