Upon launch, the LNK file retrieves a BAT payload called "c.cmd" from the same WebDAV server URL and launches a Windows command shell intended to open a bogus PDF file to the intended recipient. The file, known as the BPyCode launcher, initiates a PowerShell command that is Base64-encoded and then downloads the Python binary from the official Python website to run a Python script with the codename BPyCode.

For its part, BPyCode acts as a downloader, launching the dynamic-link library ("executor.dll") in memory. One of the domain names produced by a domain generation algorithm (DGA) is where the DLL is retrieved from. Researchers noted that the hostnames that were generated appear to correspond with the Microsoft Azure Functions service, which is a serverless architecture that would enable operators to quickly install and switch between staging environments.

The three files that are retrieved by BPyCode are a second Python loader script, a ZIP archive containing the PythonMemoryModule package, and another ZIP archive containing "executor.dll". After that, the new Python loader script is started to use PythonMemoryModule to load executor.dll, a malware that is based on Borland Delphi and is also known as ExecutorLoader, into memory. The main responsibility of ExecutorLoader is to decode AllaSenha and run it by injecting it into a valid mshta.exe process.

AllaSenha can display overlay windows to capture two-factor authentication (2FA) codes and even fool a victim into scanning a QR code to approve a fraudulent transaction that the attackers have initiated. This capability goes beyond simply taking online banking account credentials from web browsers. An additional examination of the source code connected to the original LNK file and AllaSenha samples has shown that a threat actor who speaks Portuguese is probably involved in the creation of the malware, though there is currently no proof that they are also using the tools.

Threat actors operating in Latin America seem to be an especially fruitful source for efforts including cybercrime. Although these attackers almost mainly target individuals in Latin America to obtain banking credentials, they frequently compromise devices that belong to businesses worldwide even when they are run by Brazilian subsidiaries or workers.

Impact

• Financial Loss
• Credential Theft
• Command Execution

Indicators of Compromise

Domain Name

• nfe-digital.digital

MD5

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
• Conduct regular security awareness training for users to recognize and avoid phishing emails.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Implement network segmentation to limit lateral movement within the network.
• Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
• Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
• Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
• Regularly back up critical data and ensure that the backup copies are stored securely.