Malteiro

Malteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. Malteiro mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).^[1]

ID: G1026

Contributors: Daniel Fernando Soriano Espinosa; SCILabs

Version: 1.0

Created: 13 March 2024

Last Modified: 29 March 2024

Version Permalink

Live Version

Enterprise Layer

download view 👁 Image

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.005	Command and Scripting Interpreter: Visual Basic	Malteiro has utilized a dropper containing malicious VBS scripts.^[1]
Enterprise	T1555		Credentials from Password Stores	Malteiro has obtained credentials from mail clients via NirSoft MailPassView.^[1]
.003	Credentials from Web Browsers	Malteiro has stolen credentials stored in the victim’s browsers via software tool NirSoft WebBrowserPassView.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	Malteiro has the ability to deobfuscate downloaded files prior to execution.^[1]
Enterprise	T1657		Financial Theft	Malteiro targets organizations in a wide variety of sectors via the use of Mispadu banking trojan with the goal of financial theft.^[1]
Enterprise	T1027	.013	Obfuscated Files or Information: Encrypted/Encoded File	Malteiro has used scripts encoded in Base64 certificates to distribute malware to victims.^[2]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Malteiro has sent spearphishing emails containing malicious .zip files.^[1]
Enterprise	T1055	.001	Process Injection: Dynamic-link Library Injection	Malteiro has injected Mispadu’s DLL into a process.^[1]
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	Malteiro collects the installed antivirus on the victim machine.^[1]
Enterprise	T1082		System Information Discovery	Malteiro collects the machine information, system architecture, the OS version, computer name, and Windows product name.^[1]
Enterprise	T1614	.001	System Location Discovery: System Language Discovery	Malteiro will terminate Mispadu's infection process if the language of the victim machine is not Spanish or Portuguese.^[1]
Enterprise	T1204	.002	User Execution: Malicious File	Malteiro has relied on users to execute .zip file attachments containing malicious URLs.^[1]

Software

ID	Name	References	Techniques
S1122	Mispadu	^[1]	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: Visual Basic, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Input Capture: Keylogging, Input Capture: GUI Input Capture, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Phishing: Spearphishing Link, Process Discovery, Process Injection, Screen Capture, Software Discovery: Security Software Discovery, Software Extensions: Browser Extensions, System Binary Proxy Execution: Msiexec, System Binary Proxy Execution: Rundll32, System Information Discovery, System Location Discovery: System Language Discovery, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks

References

SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.

SCILabs. (2023, October 8). URSA/Mispadu: Overlap analysis with other threats. Retrieved March 13, 2024.

URL: https://attack.mitre.org/groups/G1026/

⇱ Malteiro, Group G1026 | MITRE ATT&CK®

Malteiro

Enterprise Layer

Techniques Used

Software

References