The researchers have noticed that Brazilian hackers are deploying PeepingTitle malware in their attacks against at least 30 Portuguese financial institutions.
According to the latest report from SentinelLabs, more than 30 Portuguese banks have become victims of targeted hacking by cybercriminals based in Brazil. These institutions were targeted in what seems to be a financially motivated campaign that was launched in 2021 but became active in early 2023.
Most of the attacks occurred last month, and the main targets are financial institutions in Portugal, wrote SentinelOne researchers Tom Hegel and Aleksandar Milenkoski.
Reportedly, the hackers implant information-stealing malware to hijack credentials and user data, including personal information, and leverage it for malicious activities apart from financial gains.
In a blog post, SentinelOne stated that it started tracking the campaign, dubbed Operation Magalenha, in early 2022. The researchers noted that the intrusions led to deploying two variants of the PeepingTitle backdoor, which greatly enhanced the attack potential.
The attack starts with phishing emails and websites hosting bogus installers of popular software. Once downloaded on a device, it launches a Visual Basic Script, which executes the malware loader. This loader then downloads/executes the PeepingTitle backdoors. The backdoor starts monitoring users’ web browsing activities.
The backdoor quickly captures screenshots when a user accesses a financial institution’s website or logs into their account. It connects with the attacker’s remote server to launch new malware executables.
“With the first PeepingTitle variant capturing the entire screen, and the second capturing each window a user interacts with, this malware duo provides the threat actor with a detailed insight into user activity,” researchers noted.
This campaign initially exploited cloud service providers such as Dropbox and DigitalOcean. But the hackers had to change course as these platforms tightened their security practices. Now, hackers are relying on Russian web hosting services provider, TimeWeb.
Both backdoors are simultaneously deployed, giving the hackers exceptional control over the compromised devices. Through PeepingTitle, attackers can track window interactions, terminate system processes, capture screenshots, and deploy data exfiltration tools and other malware.
Operation Magalenha indicates Brazilian hackers’ persistent nature and the evolving feature of their campaigns. Researchers wrote that Brazilian groups consistently update their malware tools and tactics, which is why their campaigns are so effective.
Moreover, researchers believe that the attackers have shown considerable understanding of local financial institutions and are ready to invest resources and time to develop targeted campaigns.
Regarding how researchers determined it was the work of Brazilian hackers, Hegel and Milenkoski wrote that the attackers used the Brazilian-Portuguese language in the artefacts they detected.
Moreover, the malware source code shares similarities with the Maxtrilha banking trojan, first discovered in 2021. It is written in Delphi programming language and grant hacker complete control over the infected hosts, capture screenshots, and drop new payloads.