Connect with us

The Online Technology

Mispadu: Advertisement for a discounted Unhappy Meal

Security Watch

Mispadu: Advertisement for a discounted Unhappy Meal


Another in our occasional series demystifying Latin American banking trojans

In this installment of our blog series, we will focus on Mispadu, an ambitious Latin American banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers.

We believe this malware family is targeting the general public. Its main goals are monetary and credential theft. In Brazil, we have seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system.


Mispadu is a malware family, identified during our research of Latin American banking trojans, that targets Brazil and Mexico. It is written in Delphi and attacks its victims using the same method as the families described earlier in this series: by displaying fake pop-up windows and trying to persuade the potential victims to divulge sensitive information.

For its backdoor functionality, Mispadu can take screenshots, simulate mouse and keyboard actions, and capture keystrokes. It can update itself via a Visual Basic Script (VBS) file that it downloads and executes.

As with the other Latin American banking trojans, Mispadu also collects information about its victims, namely:

  • OS version
  • computer name
  • language ID
  • whether Diebold Warsaw GAS Tecnologia (an application, popular in Brazil, to protect access to online banking) is installed
  • list of installed common Latin American banking applications
  • list of installed security products

As in the cases of Amavaldo and Casbaneiro, Mispadu can also be identified by its use of a unique, custom cryptographic algorithm to obfuscate the strings in its code. This is used in all components, as well as to protect its configuration files and C&C communications. Figure 1 illustrates the core code implementing this algorithm, and Figure 2 pseudocode for the algorithm.

Figure 1. Core of Mispadu’s algorithm for data decryption

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

To Top