Cybersecurity researchers have uncovered a sophisticated new variant of the AllaKore RAT, named AllaSenha, that targets Brazilian bank accounts. This malware employs a multi-stage infection process starting with phishing emails and involving malicious LNK files disguised as PDF documents. Users are deceived into downloading a harmful file, which sets off a chain of events ultimately leading to the installation of the AllaSenha malware. The malware exploits cloud services to communicate stealthily with its command-and-control (C2) server, posing a significant threat to financial security in Brazil.
Infection Chain and Delivery
AllaSenha’s infection chain begins with phishing emails that impersonate notifications for electronic invoices, urging victims to click on shortened URLs. These links redirect users to a phishing website, which tricks them into downloading a malicious file masquerading as a PDF. Upon execution, the file launches a complex series of scripts and downloads, culminating in the deployment of AllaSenha. This malware uses a domain generation algorithm to generate a list of hostnames and ports, ensuring it can evade detection by dynamically altering its communication methods.
AllaSenha leverages Microsoft Azure’s cloud infrastructure for its C2 communications. By using Azure, it masks its malicious activities under the guise of legitimate cloud services. This approach has been active since March 2024, making it a relatively recent but potent threat. The malware specifically targets browser data related to Brazilian banks, waiting until users interact with financial websites to steal credentials, two-factor authentication tokens, and QR codes.
AllaSenha’s Technical Mechanisms
The technical mechanisms of AllaSenha are intricate. A BAT file, dubbed “BPyCode Launcher,” kicks off the infection by launching a base64-encoded PowerShell script. This script downloads a Python binary and executes another encoded Python script, which then retrieves a DLL named ExecutorLoader. ExecutorLoader injects the final payload into a renamed instance of mshta.exe, ensuring stealthy execution. The malware includes a killswitch that halts its operation if it detects a Broadwell processor, demonstrating its attempt to avoid potential security environments.
AllaSenha, a new variant of the AllaKore RAT, targets Brazilian banks to steal login credentials, two-factor authentication tokens, and QR codes. It leverages the Azure cloud for C2 communication and uses a Domain Generation Algorithm (DGA) to generate unique hostnames. The malware is particularly adept at hiding its tracks, incorporating advanced techniques to avoid detection and maintain persistence on infected systems.
Insights and Implications
– AllaSenha uses well-crafted phishing emails to initiate its infection chain.
– It employs multiple scripting languages and encoded scripts to evade detection.
– The malware leverages legitimate cloud services to mask its C2 communications.
AllaSenha represents a significant evolution in the use of RATs for financial cybercrime, specifically targeting Brazilian banking users. By leveraging cloud infrastructure, it makes detection and mitigation more challenging for cybersecurity professionals. The complex multi-stage infection process and advanced evasion techniques highlight the increasing sophistication of cyber threats. The use of domain generation algorithms to create unique hostnames daily further complicates tracking and blocking efforts.
The discovery of AllaSenha underscores the importance of robust cybersecurity measures, particularly in the financial sector. Users and organizations must be vigilant against phishing attacks and ensure that their security protocols are up-to-date to defend against such sophisticated threats. Continuous monitoring and advanced threat detection solutions can help mitigate the risks posed by evolving malware like AllaSenha. This case also illustrates the need for international cooperation in cyber defense, as cybercriminals continue to exploit global cloud infrastructure to execute their attacks.
