Brazilian Cybercriminals Using LOLBaS and CMD Scripts to Drain Bank Accounts

2023-06-05 04:48

An unknown cybercrime threat actor has been observed targeting Spanish- and Portuguese-speaking victims to compromise online banking accounts in Mexico, Peru, and Portugal.

The cybersecurity company attributed the campaign, dubbed Operation CMDStealer, to a Brazilian threat actor based on an analysis of the artifacts.

The attack chain primarily leverages social engineering, banking on Portuguese and Spanish emails containing tax- or traffic violation-themed lures to trigger the infections and gain unauthorized access to victims' systems.

The emails come fitted with an HTML attachment that contains obfuscated code to fetch the next-stage payload from a remote server in the form of a RAR archive file.

"Based on the configuration used to target victims in Mexico, the threat actor is interested in online business accounts, which usually have a better cash flow," the Canadian cybersecurity company said.

To pull off the schemes, the bad actors used phishing attacks to obtain access to corporate email accounts and trick their business partners into sending money to bank accounts controlled by criminals, a technique called business email compromise.

News URL

https://thehackernews.com/2023/06/brazilian-cybercriminals-using-lolbas.html

#bank #brazilian #cybercriminal