Brazilian banking institutions are the target of a new campaign that distributes a custom variant of the Windows-based AllaKore remote access trojan (RAT) called AllaSenha.
The malware is "specifically aimed at stealing credentials that are required to access Brazilian bank accounts, [and] leverages Azure cloud as command-and-control (C2) infrastructure," French cybersecurity company HarfangLab said in a technical analysis.
Targets of the campaign include banks such as Banco do Brasil, Bradesco, Banco Safra, Caixa Econômica Federal, Itaú Unibanco, Sicoob, and Sicredi. The initial access vector, though not definitively confirmed, points towards the use of malicious links in phishing messages.
The starting point of the attack is a malicious Windows shortcut (LNK) file that masquerades as a PDF document ("NotaFiscal.pdf.lnk") hosted on a WebDAV server since at least March 2024. There is also evidence to suggest that the threat actors behind the activity previously abused legitimate services like Autodesk A360 Drive and GitHub to host the payloads.
The LNK file, when launched, executes a Windows command shell that's designed to open a decoy PDF file to the recipient, while simultaneously retrieving a BAT payload named "c.cmd" from the same WebDAV server location.
Dubbed the BPyCode launcher, the file launches a Base64-encoded PowerShell command, which subsequently downloads the Python binary from the official www.python[.]org website in order to execute a Python script codenamed BPyCode.
BPyCode, for its part, functions as a downloader for a dynamic-link library ("executor.dll") and running it in memory. The DLL is fetched from one of the domain names generated via a domain generation algorithm (DGA).
"Generated hostnames seem to match those that are associated with the Microsoft Azure Functions service, a serverless infrastructure that in this case would allow operators to easily deploy and rotate their staging infrastructure," the company said.
Specifically, BPyCode retrieves a pickle file that includes three files: A second Python loader script, a ZIP archive containing the PythonMemoryModule package, and another ZIP archive containing "executor.dll."
The new Python loader script is then launched to load executor.dll, a Borland Delphi-based malware also called ExecutorLoader, in memory using PythonMemoryModule. ExecutorLoader is primarily tasked with decoding and executing AllaSenha by injecting it into a legitimate mshta.exe process.
In addition to stealing online banking account credentials from web browsers, AllaSenha comes with the ability to display overlay windows in order to capture two-factor authentication (2FA) codes and even trick a victim into scanning a QR code to approve a fraudulent transaction initiated by the attackers.
"All AllaSenha samples [...] use Access_PC_Client_dll.dll as their original file name," HarfangLab noted. "This name can notably be found in the KL Gorki project, a banking malware which seems to combine components of both AllaKore and ServerSocket."
Further analysis of the source code associated with the initial LNK file and AllaSenha samples has revealed that a Portuguese-speaking user named bert1m is likely linked to the development of the malware, although there is no evidence at this stage to suggest that they are operating the tools as well.
"The threat actors that operate in Latin America appear to be a particularly productive source of cybercrime campaigns," HarfangLab said.
"While almost exclusively targeting Latin American individuals to steal banking details, these actors often end up compromising computers that are indeed operated by subsidiaries or employees in Brazil, but that belong to companies all around the world."
The development comes as Forcepoint detailed malspam campaigns distributing another Latin America-focused banking trojan called Casbaneiro (aka Metamorfo and Ponteiro) via HTML attachments with an aim to siphon victims' financial information.
"The malware distributed via email urges the user to click on the attachment," security researcher Prashant Kumar said. "The attachment contains malicious code which does a series of activities and leads to data compromise."
AllaSenha Traced Back to Two Brazilian Threat Actors
Cisco Talos, in a technical write-up published on May 31, 2024, attributed the AllaSenha banking trojan to Brazilian actors, who it said could be "identified because of some operational mistakes made during the domain registration process for their payload-hosting sites."
Specifically, it found that the WHOIS information for the domains "nfe-visualizer.app[.]br" and "visualizer-nf.com[.]br" used to distribute the malware exposed the full names and email addresses of two people who registered them, using which it was able to unearth other companies owned by one of them. The second actor has been revealed to have criminal records in their name.
The cybersecurity firm is tracking the banking trojan under the name CarnavalHeist, noting the use of several tactics that are common among other similar malware families coming out of Brazil.
"Unique to CarnavalHeist, however, is the dynamic use of a Python-based loader as part of the DLL injection process and the specific targeting of banking desktop applications to enable tracking of other Brazilian financial institutions," it said.
Campaigns involving the malware are believed to have been ongoing since at least 2023, with a substantial increase in the number of infected hosts from February 2024 through April 2024.
"We have also observed this threat actor targeting only Brazilian victims and no other Latin American countries which is common among this type of banking malware," Cisco Talos told The Hacker News.
"The threat actors intend to infect as many victims as possible and extract as much financial information (for major Brazilian banking institutions), highlighting that these low-sophistication adversaries are aggressively trying to spread malware."
Anatsa Android Banking Trojan Sneaks into Google Play Store
It's not just Windows that has been at the receiving end of banking trojan attacks, for Zscaler ThreatLabz disclosed details of an Android banking malware campaign that made use of decoy applications uploaded to the Google Play store to deliver Anatsa (aka TeaBot and Toddler).
These clean dropper applications pass off as seemingly harmless productivity and utility apps like PDF readers, QR code readers, and translators, and employ an identical infection chain revealed by ThreatFabric earlier this February to retrieve and deploy the malware from a remote server under the guise of an app update to evade detection.
The apps, which have since been taken down by Google, are listed below -
- com.appandutilitytools.fileqrutility (QR Reader & File Manager)
- com.ultimatefilesviewer.filemanagerwithpdfsupport (PDF Reader & File Manager)
According to statistics available on Sensor Tower, PDF Reader & File Manager has been installed anywhere between 500 to 1,000 times, while the QR code reader app has had installations in the range of 50,000 to 100,000.
"Once installed, Anatsa exfiltrates sensitive banking credentials and financial information from global financial applications," researchers Himanshu Sharma and Gajanan Khond said. "It achieves this through the use of overlay and accessibility techniques, allowing it to intercept and collect data discreetly."
Zscaler said it identified over 90 malicious apps on the Play Store over the past few months that have collectively had more than 5.5 million installations and were used to propagate various malware families like Joker, Facestealer, Anatsa, Coper, and other adware.
(The story was updated after publication on May 31, 2024, with more information about AllaSenha from Cisco Talos.)