Brazilian threat actors targeted more than 30 Portuguese financial institutions with information-stealing malware as part of a long-term campaign starting in 2021.
“Attackers can steal credentials and extract users’ personal data and information, which can be exploited for malicious activities beyond financial gain,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a new report shared with The Hacker News.
The cybersecurity firm, which began tracking “Operation Magalenha” earlier this year, said the intrusion led to the deployment of two backdoor variants called PeekTitle to “maximize attack potential.”
The link to Brazil stems from the use of the Brazilian-Portuguese language in detected artifacts as well as source code that overlaps with another banking trojan known as Maxtrailwhich was first disclosed in September 2021.
PeepingTitle, like Maxtrilha, is written in the Delphi programming language and equipped to give an attacker complete control over a compromised host as well as capture screenshots and drop additional payloads.
The attack chain begins with phishing emails and malicious sites hosts bogus installers for popular software engineered to launch Visual Basic Scripts that are responsible for running malware loaders. The loader then downloads and executes the PeepingTitle backdoors.
PeepingTitle monitors users’ web browsing activity, and if a browser tab that matches one of the target financial institutions is opened, it extracts screenshots and further displays the malware executable from the remote server.
This is achieved by comparing the window title to a predefined set of strings associated with the targeted organization, but not before converting it to a lowercase string with no whitespace characters.
“With the first PeepingTitle variant capturing the entire screen, and the second capturing every window a user interacts with, the malware duo provides threat actors with detailed insight into user activity,” the researchers explain.
A key aspect of Magalenha is the switch from DigitalOcean and Dropbox in 2022 to Timeweb Cloud, a Russian cloud service provider that has a softer approach to infrastructure abuse, for malware and command-and-control hosting.
The sophisticated hacking attempt is the latest iteration in a long line of financially motivated malware campaigns originating in Latin America. Earlier this March, Metabase Q disclosed a wave of Mispadu attacks targeting Bolivia, Chile, Mexico, Peru, and Portugal.
“Operation Magalenha demonstrated the persistent nature of the Brazilian threat actor,” the researchers said. “These groups represent an evolving threat to organizations and individuals in their target countries and have demonstrated a consistent capacity to update their malware arsenal and tactics, allowing them to remain effective in their campaigns.”
“Their capacity to orchestrate attacks in Portuguese and Spanish-speaking countries in Europe, Central America and Latin demonstrates an understanding of the local financial landscape and a willingness to invest time and resources in developing targeted campaigns.”