Brazilian attackers are targeting Portuguese financial institutions with information-stealing malware as part of a long-running campaign that began in 2021.
“Attackers can steal credentials and exfiltrate user data and personal information, which can be used for malicious activities beyond financial gain,” said a SentinelOne researcher. Aleksandar Milenkoski and Tom Hegel said in a new report shared with The Hacker News.
The cybersecurity firm, which began tracking “Operation Magalenha” earlier this year, said the intrusion was peep title To “maximize attack power”.
The Brazilian connection is due to the use of Brazilian-Portuguese language within the detected artifacts, as well as source code duplication with another banking Trojan known as Maxtrilha, which was first disclosed in September 2021. It comes from what you are doing.
PeepingTitle, like Maxtrilha, is written in the Delphi programming language and has the ability to grant attackers complete control of a compromised host, capture screenshots, and drop additional payloads. I’m here.
The attack chain begins with phishing emails and malicious websites hosting fake installers for popular software designed to launch Visual Basic scripts that run malware loaders. The loader then downloads and executes the PeepingTitle backdoor.
PeepingTitle monitors a user’s web browsing activity, stealing screen captures and staging further malware executables from remote servers when a browser tab matching one of the targeted financial institutions is opened.
This is accomplished by comparing the window title to a predefined set of strings related to the organization of interest before converting the window title to a lowercase string that excludes whitespace characters.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
“By capturing the entire screen with the first PeepingTitle variant and the second capturing each window the user interacts with, this malware duo provides attackers with detailed insight into user activity,” said the researchers. explained.
A key aspect of Magalenha will move from DigitalOcean and Dropbox in 2022 to Timeweb Cloud, a Russian cloud service provider that takes a more lenient approach to infrastructure abuse when it comes to malware hosting and command and control. is to
“Operation Magareña demonstrates the relentless nature of Brazilian threat actors,” the researchers said. “These groups are an evolving threat to organizations and individuals in target countries and have demonstrated a consistent ability to update their malware arsenals and tactics, allowing campaigns to remain effective.”
“Their ability to organize attacks on Portuguese- and Spanish-speaking countries in Europe, Central America and Latin America allows them to understand local financial situations and invest time and resources in developing targeted campaigns. It indicates willingness.”
