Brazilian Cybercriminals Using LOLBaS and CMD Scripts to Drain Bank Accounts

11 months ago AndyC

Jun
05,
2023Ravie
LakshmananBanking
Security
/
Malware

An
unknown
cybercrime
threat
actor
has
been
observed
targeting
Spanish-
and
Portuguese-speaking
victims
to
compromise
online
banking
accounts
in
Mexico,
Peru,
and
Portugal.

Brazilian Cybercriminals Using LOLBaS and CMD Scripts to Drain Bank Accounts



Jun
05,
2023Ravie
LakshmananBanking
Security
/
Malware


Brazilian Cybercriminals Using LOLBaS and CMD Scripts to Drain Bank Accounts

An
unknown
cybercrime
threat
actor
has
been
observed
targeting
Spanish-
and
Portuguese-speaking
victims
to
compromise
online
banking
accounts
in
Mexico,
Peru,
and
Portugal.

“This
threat
actor
employs
tactics
such
as
LOLBaS
(living-off-the-land
binaries
and
scripts),
along
with
CMD-based
scripts
to
carry
out
its
malicious
activities,”
the
BlackBerry
Research
and
Intelligence
Team

said
in
a
report
published
last
week.

The
cybersecurity
company
attributed
the
campaign,
dubbed
Operation

CMDStealer,
to
a
Brazilian
threat
actor
based
on
an
analysis
of
the
artifacts.

The
attack
chain
primarily
leverages
social
engineering,
banking
on
Portuguese
and
Spanish
emails
containing
tax-
or
traffic
violation-themed
lures
to
trigger
the
infections
and
gain
unauthorized
access
to
victims’
systems.

The
emails
come
fitted
with
an
HTML
attachment
that
contains
obfuscated
code
to
fetch
the
next-stage
payload
from
a
remote
server
in
the
form
of
a
RAR
archive
file.

The
files,
which
are
geofenced
to
a
specific
country,
include
a
.CMD
file,
which,
in
turn,
houses
an
AutoIt
script
that’s
engineered
to
download
a
Visual
Basic
Script
to
carry
out
the
theft
of
Microsoft
Outlook
and
browser
password
data.


Brazilian Cybercriminals

“LOLBaS
and
CMD-based
scripts
help
threat
actors
avoid
detection
by
traditional
security
measures.
The
scripts
leverage
built-in
Windows
tools
and
commands,
allowing
the
threat
actor
to
evade
endpoint
protection
platform
(EPP)
solutions,
and
bypass
security
systems,”
BlackBerry
noted.

The
harvested
information
is
transmitted
back
to
the
attacker’s
server
via
an

HTTP
POST
request
method.

“Based
on
the
configuration
used
to
target
victims
in
Mexico,
the
threat
actor
is
interested
in
online
business
accounts,
which
usually
have
a
better
cash
flow,”
the
Canadian
cybersecurity
company
said.


UPCOMING
WEBINAR

🔐
Mastering
API
Security:
Understanding
Your
True
Attack
Surface

Discover
the
untapped
vulnerabilities
in
your
API
ecosystem
and
take
proactive
steps
towards
ironclad
security.
Join
our
insightful
webinar!

Join
the
Session

The
development
is
the
latest
in
a

long
line
of
financially
motivated
malware
campaigns
emanating
from
Brazil.

The
findings
also
come
as
ESET
exposed
the
tactics
of
a

Nigerian
cybercrime
ring
that
executed
complex
financial
fraud
scams
targeted
unsuspecting
individuals,
banks,
and
businesses
in
the
U.S.
and
elsewhere
between
December
2011
and
January
2017.

To
pull
off
the
schemes,
the
bad
actors

used
phishing
attacks
to
obtain
access
to
corporate
email
accounts
and
trick
their
business
partners
into
sending
money
to
bank
accounts
controlled
by
criminals,
a
technique
called
business
email
compromise.

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

CensysGPT: AI-Powered Threat Hunting for Cybersecurity Pros (Webinar)

CensysGPT: AI-Powered Threat Hunting for Cybersecurity Pros (Webinar)

3 mins ago AndyC
Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability

Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability

3 mins ago AndyC
What's the Right EDR for You?

What’s the Right EDR for You?

3 mins ago AndyC
Malicious Android Apps Pose as Google, Instagram, WhatsApp, to Steal Credentials

Malicious Android Apps Pose as Google, Instagram, WhatsApp, to Steal Credentials

4 mins ago AndyC
Researchers Uncover 'LLMjacking' Scheme Targeting Cloud-Hosted AI Models

Researchers Uncover ‘LLMjacking’ Scheme Targeting Cloud-Hosted AI Models

4 mins ago AndyC
New TunnelVision Attack Allows Hijacking of VPN Traffic via DHCP Manipulation

New TunnelVision Attack Allows Hijacking of VPN Traffic via DHCP Manipulation

18 hours ago AndyC

You may have missed

CensysGPT: AI-Powered Threat Hunting for Cybersecurity Pros (Webinar)

CensysGPT: AI-Powered Threat Hunting for Cybersecurity Pros (Webinar)

3 mins ago AndyC
Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability

Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability

3 mins ago AndyC
What's the Right EDR for You?

What’s the Right EDR for You?

3 mins ago AndyC
Malicious Android Apps Pose as Google, Instagram, WhatsApp, to Steal Credentials

Malicious Android Apps Pose as Google, Instagram, WhatsApp, to Steal Credentials

4 mins ago AndyC
Researchers Uncover 'LLMjacking' Scheme Targeting Cloud-Hosted AI Models

Researchers Uncover ‘LLMjacking’ Scheme Targeting Cloud-Hosted AI Models

4 mins ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.