A Brazilian hacking group has been targeting thirty Portuguese government and private financial institutions since 2021 in a malicious campaign called ‘Operation Magalenha.’
Examples of the targeted entities include ActivoBank, Caixa Geral de Depósitos, CaixaBank, Citibanamex, Santander, Millennium BCP, ING, Banco BPI, and Novobanco.
This campaign was exposed by a Sentinel Labs report highlighting the tools used by the threat actor, the various infection vectors, and their malware distribution methods.
The analysts uncovered details about the threat actor’s origin and tactics thanks to a server misconfiguration that exposed files, directories, internal correspondence, and more.
The initial infection
The attackers use many methods to distribute their malware to targets, including phishing emails pretending to come from Energias de Portugal (EDP) and the Portuguese Tax and Customs Authority (AT), social engineering, and malicious websites that mimic these organizations.
In all cases, the infection begins with the execution of an obfuscated VB script that fetches and executes a malware loader, which in turn loads two variants of the ‘PeepingTitle’ backdoor onto the victim’s system following a five-second delay.
“The VB scripts are obfuscated such that the malicious code is scattered among large quantities of code comments, which is typically pasted content of publicly available code repositories,” explains Sentinel Labs in the report.
“This is a simple, yet effective technique for evading static detection mechanisms – the scripts that are available on VirusTotal feature relatively low detection ratios.”
The analysts explain that the purpose of those scripts is to distract the users while malware is downloaded and to steal their EDP and AT credentials by directing them to the corresponding fake portals.
PeepingTitle is a Delphi-written malware with a compilation date of April 2023, which Sentinel Labs believes was developed by a single person or team.
The reason why the attackers drop two variants is to use one for capturing the victim’s screen and the second for monitoring windows and the user’s interactions with those.
Also, the second variant can fetch additional payloads after registering the victim machine and sending reconnaissance details to the attackers.
The malware checks for windows that match a list of hardcoded financial institutions, and when it finds one, logs all user input (including credentials) and sends it to the threat actor’s C2 server.
PeepingTitle also can capture screenshots, terminate processes on the host, change its monitoring interval configuration on the fly, and stage payloads from executables or DLL files, using Windows rundll32.
Sentinel Labs has noticed several cases where the threat actors demonstrated the ability to overcome operational hurdles since the beginning of Operation Magalenha.
In mid-2022, the group switched from abusing DigitalOcean Spaces for C2 and malware hosting and distribution and started using more obscure cloud service providers like the Russia-based Timeweb.
The analysts believe this move was due to DigitalOcean’s due diligence causing too many campaign disruptions and operational difficulties.