An unknown cybercrime actor has been observed targeting Spanish and Portuguese speaking victims to compromise online banking accounts in Mexico, Peru and Portugal.
In a report released last week, the BlackBerry Research and Intelligence Team said, “This threat actor utilizes tactics such as LOLBaS (resident binaries and scripts) along with CMD-based scripts to carry out malicious activity. ‘ said.
Cybersecurity firm reveals cause of campaign called ‘Operations’ CMDS Tealerbased on artifact analysis, reports to Brazilian threat actors.
This attack chain primarily relies on social engineering, leveraging Portuguese and Spanish language emails containing tax and traffic themed decoys to cause infection and compromise victims’ systems. .
The email has an HTML attachment containing obfuscated code to retrieve the next stage payload from a remote server in the form of a RAR archive file.
These files are geofenced to a specific country and contain a .CMD file that downloads a Visual Basic script to perform Microsoft Outlook and browser password data theft. A designed AutoIt script is included.
“LOLBaS and CMD-based scripts help attackers evade detection by traditional security measures. Because scripts make use of Windows’ built-in tools and commands, attackers can use Endpoint Protection Platform (EPP) solutions and bypass security systems,” said BlackBerry. .
The collected information is sent to the attacker’s server via the HTTP POST request method.
“Based on the configuration used to target Mexican victims, attackers are typically interested in online business accounts with good cash flow,” said the Canadian cybersecurity firm.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
This development is the latest in a long string of financially motivated malware campaigns originating from Brazil.
The findings follow ESET’s exposure of a Nigerian cybercriminal group that carried out complex financial fraud targeting unsuspecting individuals, banks and businesses in the United States and elsewhere between December 2011 and January 2017. was revealed at the same time.
To carry out this plan, the attackers used phishing attacks to gain access to corporate email accounts and trick business partners into transferring money to criminal-controlled bank accounts. This is a technique called business email compromise.
