Home News Mispadu Malvertising Trojan: An Un-Happy Meal for McDonalds

Mispadu Malvertising Trojan: An Un-Happy Meal for McDonalds


Beware! The Mispadu Trojan is collecting victim’s payment-card and online banking details by malvertising as McDonalds free meal coupon ads.

Mispadu is a banking trojan that according to the research team at ESET, is specifically targeting the Latin American countries of Brazil and Mexico, and stealing victim’s payment-card and online banking details. Trojans are not new to the banking sector, but the way they are luring users in their trap is something that’s worth noting. Attackers are taking advantage of the holiday season that is just around the corner and using Facebook’s sponsored ads as a medium for forcing a call to action from users.

ESET researchers also found that Mispadu is spreading via spam emails. These malvertisings offer fake discount coupons for McDonalds with the call out, “Use them on any September day! Independence coupons. Get yours now.” As soon as the user clicks the ad, they’re redirected to a fake McDonalds website with a button that says, “I want! / Generate coupon.” Clicking this in turn downloads a ZIP archive on the victim’s machine.

The Zipped folder contains an MSI installer. When the victim clicks this a chain of three subsequent VBS scripts start executing. Researchers said that the first script (unpacker) decrypts and executes the second script (downloader) from its internal data. The downloader script retrieves the third script (loader) and further executes it. The loader script acts as the malware’s AI. It checks the victim’s machine location, whether it is from the targeted Latin American region and for certain internal conducive virtual environments. If this is not found, then the loader quits and aborts the process. But if it’s a match, then Bingo. It loads three things;

  • Mispadu banking trojan
  • A DLL injector used for trojan’s execution, and
  • Legit supporting DLLs

The loader script finally completes the malware installation by decrypting the banking trojan and executing it.

Information collected by Mispadu

It collects the following information from its victims:

  • OS version
  • Computer name
  • Language ID
  • Diebold Warsaw GAS Tecnologia installation check (an application, popular in Brazil, to protect access to online banking)
  • List of installed common Latin American banking applications
  • List of installed security products

Recently, researchers uncovered a mass malware attack where the authors were said to be motivated by their political beliefs. This malware was designed to steal sensitive information, including call recordings, text messages, photos, videos, and location data without users’ knowledge. Apart from spying features, the malware also has backdoor capabilities, including upload, download, delete files, record surrounding audio, takeover camera, and make calls or sends messages to specific numbers, according to the researchers.