AllaSenha Targets Banking Credentials in Brazil

  |  Source: 
Financial Services

AllaSenha Targets Banking Credentials in Brazil

A malware campaign distributing AllaSenha, a credential-stealing malware, is targeting users in Brazil. This threat, identified by the cyber threat research team at HarfangLab, utilizes Azure cloud as part of its command and control (C2) infrastructure in an effort to evade defenses in its mission to capture banking information. The AllaSenha malware is assessed to be a variant of the "AllKore" remote access trojan (RAT). Attribution of the malware and campaign has yet to be determined with confidence. The attackers have demonstrated a pattern of quickly setting up and dismantling their C2 infrastructure using WebDAV servers with a transient operational window, which complicates tracking and mitigation efforts. This campaign specifically targets major Brazilian financial institutions, aiming to capture sensitive financial data and banking credentials, indicating a highly localized and financially motivated operation.

The infection begins with a deceptive LNK file disguised as a PDF using a dual file extension—.pdf.lnk, delivered via WebDAV. The initial access vector is undetermined, however, it is strongly assessed to have been delivered through a phishing email. Researchers at HarfangLab observed this file initiates a multi-stage attack beginning with a command shell that deceives the user into triggering further malicious actions. The LNK file executes a command that simulates the opening of a PDF while secretly downloading and executing a BAT file (.cmd) named BPyCode launcher from a remote server. The BPyCode launcher initiates a sequence of activities with a base64-encoded PowerShell command that leads to downloading a Python binary from the official Python website. This script then creates a directory in C:\Users\Public, where it unzips the downloaded Python binary and renames the Python executable. Following this setup, the renamed Python executable is used to execute further Python scripts encoded in base64, which include downloading and executing a DLL named ExecutorLoader directly into memory, avoiding disk-based detection. This process of in-memory execution is facilitated by dynamically loading the DLL using a custom Python module designed to obscure the loading process from traditional antivirus systems.

ExecutorLoader serves as the intermediary stage, functioning primarily to inject the final payload, AllaSenha, into legitimate system processes to evade detection further. It achieves persistence by injecting this payload into a system process like mshta.exe through a sophisticated process injection technique. This method involves copying the mshta.exe to a new location, modifying it, and then injecting the malicious DLL. ExecutorLoader manipulates system processes in such a way that allows the malware to operate covertly, often without triggering security alerts. It also sets up a registry run key to ensure the malware persists across system reboots, embedding itself within the Windows startup processes.

The final payload, AllaSenha, is meticulously designed to target Brazilian banking customers by extracting sensitive information such as account credentials and two-factor authentication (2FA) tokens. HarfangLab researchers explain, "Upon launch, AllaSenha reads the user’s browser data to search for credentials associated with targeted banks. If unable to find any, it enters a 'waiting' state where it starts multiple threads to monitor if the user is performing actions associated with banking." AllaSenha employs Domain Generation Algorithms (DGA) to communicate with command-and-control (C2) servers hosted on the Azure cloud platform, complicating the disruption of its communication channels. The malware utilizes various communication protocols, including raw TCP connections, with server-generated domains that frequently rotate, thereby thwarting efforts to block these communications. Additionally, AllaSenha crafts deceptive user interfaces to phish for more credentials and 2FA data, actively engaging with victims to facilitate unauthorized banking transactions.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now