A Brazilian threat actor is targeting more than 30 Portuguese financial institutions with information-stealing malware as part of a long-running campaign that commenced in 2021.
“The attackers can steal credentials and exfiltrate users’ data and personal information, which can be leveraged for malicious activities beyond financial gain,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a new report shared with The Hacker News.
The cybersecurity firm, which began tracking “Operation Magalenha” earlier this year, said the intrusions culminate in the deployment of two variants of a backdoor called PeepingTitle so as to “maximize attack potency.”
The links to Brazil stem from the use of the Brazilian-Portuguese language within the detected artifacts as well as source code overlaps with another banking trojan known as Maxtrilha, which was first disclosed in September 2021.
PeepingTitle, like Maxtrilha, is written in the Delphi programming language and is equipped to grant the attacker full control over the compromised hosts as well as capture screenshots and drop additional payloads.
The attack chains begin with phishing emails and rogue websites hosting fake installers for popular software that are engineered to launch a Visual Basic Script responsible for executing a malware loader. The loader subsequently downloads and executes the PeepingTitle backdoors.
PeepingTitle monitors users’ web browsing activity, and if a browser tab matching one of the target financial institutions is opened, it exfiltrates screen captures and stages further malware executables from a remote server.
This is achieved by comparing the window title to a predefined set of strings related to targeted organizations, but not before transforming it into lowercase string san any whitespace characters.
“With the first PeepingTitle variant capturing the entire screen, and the second capturing each window a user interacts with, this malware duo provides the threat actor with a detailed insight into user activity,” the researchers explained.
An important aspect of Magalenha is the shift from DigitalOcean and Dropbox in 2022 to Timeweb Cloud, a Russian cloud service provider that has a more lenient approach towards infrastructure abuse, for malware hosting and command-and-control.
The sophisticated hacking effort represents the latest iteration in a long line of financially motivated malware campaigns originating from Latin America. Earlier this March, Metabase Q uncovered a Mispadu attack wave targeting Bolivia, Chile, Mexico, Peru, and Portugal.
“Operation Magalenha indicates the persistent nature of the Brazilian threat actors,” the researchers said. “These groups represent an evolving threat to organizations and individuals in their target countries and have demonstrated a consistent capacity to update their malware arsenal and tactics, allowing them to remain effective in their campaigns.”
“Their capacity to orchestrate attacks in Portuguese- and Spanish-speaking countries in Europe, Central, and Latin America suggests an understanding of the local financial landscape and a willingness to invest time and resources in developing targeted campaigns.”