SentinelLabs has been tracking a campaign over the first quarter of 2023, targeting users of Portuguese financial institutions, including government, government-backed, and private institutions. Based on similarities in TTPs as well as overlaps in malware implementation and functionalities reported in previous work, the team assessed with high confidence that the campaign has been conducted by a Brazilian threat group. This conclusion is further supported by the presence of Brazilian-Portuguese language usage within the infrastructure configurations and malware implementations. SentinelLabs refers to the campaign conducted by this threat group as Operation Magalenha.
The threat actor deploys two backdoor variants on each infected machine, which SentinelLabs collectively dubbed PeepingTitle. Based on overlaps in code and functionalities, the team assess that the PeepingTitle backdoors are part of the broader Brazilian financial malware ecosystem – specifically, of the Maxtrilha family (named by the then-used encryption key) first observed in 2021. SentinelLabs therefore assess that Operation Magalenha is the latest iteration of a long-standing activity nexus.
Operation Magalenha is characterised by changes in infrastructure design, and malware implementation and deployment. The deployment of two PeepingTitle variants simultaneously on infected machines aims to maximise the potency of attacks. Further, to ensure uninterrupted operations, the threat actor has strategically transitioned its infrastructure hosting to Timeweb Cloud, a Russian IaaS provider known for its lenient anti-abuse policies, diverging from primarily relying on providers implementing stricter measures, such as DigitalOcean and Dropbox.
Leveraging its malware arsenal, the threat group behind Operation Magalenha can steal credentials, exfiltrate users’ data and personal information, and achieve full control over infected machines. This opens up further possibilities for the targeting of individuals or organisations, or for the exploitation of that information and data by other cybercriminal or espionage groups.
Key findings
- Over the first quarter of 2023, SentinelLabs observed a campaign targeting users of Portuguese financial institutions conducted by a Brazilian threat group.
- The campaign is the latest iteration of a broader activity nexus dating back to 2021, now targeting the users of over 30 financial institutions.
- The attackers can steal credentials and exfiltrate users’ data and personal information, which can be leveraged for malicious activities beyond financial gain.
- The threat group simultaneously deploys two backdoor variants to maximise attack potency.
- To ensure uninterrupted operations, the threat actor has shifted its infrastructure hosting from IaaS providers implementing stricter anti-abuse measures, such as a major US-based cloud provider, to Timeweb, a Russian IaaS provider known for its more relaxed policies.
Conclusion
Operation Magalenha indicates the persistent nature of the Brazilian threat actors. These groups represent an evolving threat to organisations and individuals in their target countries and have demonstrated a consistent capacity to update their malware arsenal and tactics, allowing them to remain effective in their campaigns.
Their capacity to orchestrate attacks in Portuguese- and Spanish-speaking countries in Europe, Central, and Latin America suggests an understanding of the local financial landscape and a willingness to invest time and resources in developing targeted campaigns. As such, it is important for organisations and individuals to remain vigilant and take proactive measures to protect themselves from this threat.
