Brazilian Cyber Criminals Use LOLBaS and CMD Scripts to Drain Bank Accounts
Unknown cybercrime threat actors have been observed targeting Spanish and Portuguese speaking victims to infiltrate online banking accounts in Mexico, Peru, and Portugal.
“This threat actor uses tactics such as LOLBaS (live foreign binaries and scripts), along with CMD-based scripts to carry out its malicious activities,” BlackBerry Research and Intelligence Team said. said in a report published last week.
The cybersecurity firm linked the campaign, which has been dubbed Operation CMDStealerto Brazilian threat actors based on artifact analysis.
The attack chains primarily utilize social engineering, banking on Portuguese and Spanish emails containing tax-themed lures or traffic violations to trigger infections and gain unauthorized access to victims’ systems.
The e-mail comes with an HTML attachment containing obfuscated code to retrieve the next stage payload from the remote server in the form of a RAR archive file.
The files, which are geofenced to specific countries, include .CMD files, which, in turn, house AutoIt scripts designed to download Visual Basic Scripts to commit theft of Microsoft Outlook and browser password data.
LOLBaS and CMD-based scripts help threat actors avoid detection with traditional security measures. The script leverages Windows’ built-in tools and commands, allowing threat actors to circumvent endpoint protection platform (EPP) solutions, and bypass security systems, BlackBerry said. .
The harvested information is sent back to the attacker’s server via HTTP POST request method.
“Based on the configuration used to target victims in Mexico, threat actors are attracted to online business accounts, which usually have better cash flow,” the Canadian cybersecurity firm said.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
This development is the latest in a long series of financially motivated malware campaigns originating in Brazil.
These findings also surfaced when ESET unveiled tactic a Nigerian cybercrime ring who executed a complex financial fraud scam targeting unsuspecting individuals, banks and businesses in the US and elsewhere between December 2011 and January 2017.
To carry out the scheme, bad actor used phishing attacks to gain access to company email accounts and trick their business partners into sending money to bank accounts controlled by criminals, a technique called business email compromise.
