Published on: May 26, 2023
Over 30 Portuguese financial institutions have become the target of Brazillian hackers using complex malware to steal users’ information.
Researchers at SentinalLabs, a reputable cybersecurity company, discovered the malware campaign, named “Operation Magalenha” in Q1 2023, but noted in the recent report that they published that the campaign has been running as long as 2021.
“The campaign is the latest iteration of a broader activity nexus dating back to 2021, now targeting the users of over 30 financial institutions,” researchers say.
They traced the campaign back to Brazil after numerous uses of the Brazillian language were found within the artifacts researchers investigated. Its source code has significant overlap with the older Maxtrilha trojan, both of which are written in the Delphi programming language and share similarities.
The malware works by exploiting vulnerabilities to inject two versions at once of their own “PeepingTitle” malware to maximize its threat potential. Once deployed, it steals users’ information by carefully sitting in the background, monitoring a user’s browser until they log into a target financial institution.
Once they do, the dual backdoors each employ further pieces of malware with different goals.
“With the first PeepingTitle variant capturing the entire screen, and the second capturing each window a user interacts with, this malware duo provides the threat actor with a detailed insight into user activity,” the report explains. “The attackers can steal credentials and exfiltrate users’ data and personal information, which can be leveraged for malicious activities beyond financial gain.”
Fortunately, you can avoid this malware — it spreads through phishing scams and malicious websites that masquerade as popular software. By being careful not to open any suspicious emails, visit shady or unofficial websites, even if you have a reliable antivirus.
“These groups represent an evolving threat to organizations and individuals in their target countries and have demonstrated a consistent capacity to update their malware arsenal and tactics, allowing them to remain effective in their campaigns.”