Brazilian Cybercriminals Using LOLBaS and CMD Scripts to Drain Bank Accounts

LOLBaS and CMD Scripts

An unknown cybercrime threat actor has been observed targeting Spanish- and Portuguese-speaking victims to compromise online banking accounts in Mexico, Peru, and Portugal.

“This threat actor employs tactics such as LOLBaS (living-off-the-land binaries and scripts), along with CMD-based scripts to carry out its malicious activities,” the BlackBerry Research and Intelligence Team said in a report published last week.

The cybersecurity company attributed the campaign, dubbed Operation CMDStealer, to a Brazilian threat actor based on an analysis of the artifacts.

The attack chain primarily leverages social engineering, banking on Portuguese and Spanish emails containing tax- or traffic violation-themed lures to trigger the infections and gain unauthorized access to victims’ systems.

The emails come fitted with an HTML attachment that contains obfuscated code to fetch the next-stage payload from a remote server in the form of a RAR archive file.

The files, which are geofenced to a specific country, include a .CMD file, which, in turn, houses an AutoIt script that’s engineered to download a Visual Basic Script to carry out the theft of Microsoft Outlook and browser password data.

Brazilian Cybercriminals

“LOLBaS and CMD-based scripts help threat actors avoid detection by traditional security measures. The scripts leverage built-in Windows tools and commands, allowing the threat actor to evade endpoint protection platform (EPP) solutions, and bypass security systems,” BlackBerry noted.

The harvested information is transmitted back to the attacker’s server via an HTTP POST request method.

“Based on the configuration used to target victims in Mexico, the threat actor is interested in online business accounts, which usually have a better cash flow,” the Canadian cybersecurity company said.

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Webinar

The development is the latest in a long line of financially motivated malware campaigns emanating from Brazil.

The findings also come as ESET exposed the tactics of a Nigerian cybercrime ring that executed complex financial fraud scams targeted unsuspecting individuals, banks, and businesses in the U.S. and elsewhere between December 2011 and January 2017.

To pull off the schemes, the bad actors used phishing attacks to obtain access to corporate email accounts and trick their business partners into sending money to bank accounts controlled by criminals, a technique called business email compromise.



Original Source


 

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn