1. Home
  2. Groups
  3. Malteiro

Malteiro

Malteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. Malteiro mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).[1]

ID: G1026
Contributors: Daniel Fernando Soriano Espinosa; SCILabs
Version: 1.0
Created: 13 March 2024
Last Modified: 29 March 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Malteiro has utilized a dropper containing malicious VBS scripts.[1]
Enterprise T1555 Credentials from Password Stores

Malteiro has obtained credentials from mail clients via NirSoft MailPassView.[1]
.003 Credentials from Web Browsers

Malteiro has stolen credentials stored in the victim’s browsers via software tool NirSoft WebBrowserPassView.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Malteiro has the ability to deobfuscate downloaded files prior to execution.[1]
Enterprise T1657 Financial Theft

Malteiro targets organizations in a wide variety of sectors via the use of Mispadu banking trojan with the goal of financial theft.[1]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Malteiro has used scripts encoded in Base64 certificates to distribute malware to victims.[2]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Malteiro has sent spearphishing emails containing malicious .zip files.[1]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Malteiro has injected Mispadu’s DLL into a process.[1]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Malteiro collects the installed antivirus on the victim machine.[1]
Enterprise T1082 System Information Discovery

Malteiro collects the machine information, system architecture, the OS version, computer name, and Windows product name.[1]
Enterprise T1614 .001 System Location Discovery: System Language Discovery

Malteiro will terminate Mispadu's infection process if the language of the victim machine is not Spanish or Portuguese.[1]
Enterprise T1204 .002 User Execution: Malicious File

Malteiro has relied on users to execute .zip file attachments containing malicious URLs.[1]

Software

ID Name References Techniques
S1122 Mispadu [1] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Extensions, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: Visual Basic, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Input Capture: Keylogging, Input Capture: GUI Input Capture, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Phishing: Spearphishing Link, Process Discovery, Process Injection, Screen Capture, Software Discovery: Security Software Discovery, System Binary Proxy Execution: Msiexec, System Binary Proxy Execution: Rundll32, System Information Discovery, System Location Discovery: System Language Discovery, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks

References

  1. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
  1. SCILabs. (2023, October 8). URSA/Mispadu: Overlap analysis with other threats. Retrieved March 13, 2024.