HQ/EMEAFind out how we can help your business
The Operation CMDStealer is allegedly a new cybercriminal campaign from a threat group from Brazil. The cybercriminals have been targeting Spanish and Portuguese-speaking victims to infect online banking accounts in Portugal, Peru, and Mexico. Based on reports, the group adopted the LOLBaS tactic and CMD-based scripts to execute their malicious activities.
The attack chain leverages social engineering tactics and Spanish and Portuguese emails containing traffic or tax-themed lures to initiate infection and acquire unauthorised access to a targeted system.
The malicious emails used by the actors in the attack store an HTML attachment that includes obfuscated code to retrieve the next-stage payload from a remote server in the form of RAR archives.
The actors geofenced the files to a specific country. Moreover, the archives contain a [.]CMD file, which houses an AutoIt script that could download a Visual Basic Script to execute the theft of MS Outlook and browser password data.
The Operation CMDStealer could bypass generic security solutions.
According to investigations, the Operation CMDStealer, which includes the LOLBaS (living-off-the-land binaries and scripts) and CMD-based scripts, allows its operators to evade security detection offered by generic products.
In addition, the script utilises built-in Windows tools and commands that could allow the threat actors to bypass endpoint protection platform solutions and neutralise security systems. The collected information will then return to an attacker-controlled server through an HTTP Post request strategy.
A separate researcher revealed that the threat actors used a configuration to target victims in Mexico. Hence, the online business account attracts the threat actors since it has a better profit. The campaign is the latest development of numerous financially motivated campaigns in Brazil today.
The findings have also led to the discovery of a Nigerian cybercrime ring that started a complex financial fraud scam that targeted unsuspecting targets, businesses, and banks in the United States and other countries between December 2011 and January 2017.
These cybercriminal activities have been a significant infestation in every country worldwide. Countries targeted by these attacks tend to have a high rate of individuals that unknowingly fall on bait. Therefore, users should be wary of accessing unknown emails and refrain from clicking links from unwanted messages.
