Portuguese banks targeted by Brazilian hacker group

The hackers can steal credentials and exfiltrate users’ data and personal information, Sentinel Labs reported.

 Electronics, Hardware, Computer Hardware, Printed Circuit Board, Bottle, Cosmetics, Perfume

A Brazilian hacking group has been targeting 30 Portuguese financial institutions, both government and private, since 2021 in a malicious campaign known as Operation Magalenha. Targets include ActivoBank, Caixa Geral de Depósitos, CaixaBank, Citibanamex, Santander, Millennium BCP, ING, Banco BPI and Novobanco.

The campaign was uncovered in a report by Sentinel Labs. The report highlights the tools used by the threat actor, the different infection vectors and the methods used to distribute the malware. These include phishing emails claiming to be from Portuguese Energy and Tax and Customs authorities, social engineering and malicious websites impersonating these organisations. The infection, in all cases, starts with the execution of an obfuscated VB script that fetches and executes a malware loader. This, in turn, loads two variants of the ‘PeepingTitle’ backdoor onto the victim’s system after a delay of five seconds.

PeepingTitle is malware written in Delphi. It can log the victim’s screen, monitor Windows and user interactions, terminate processes on the host, modify its monitoring interval configuration on the fly and execute payloads from executable or DLL files. Since the beginning of Operation Magalenha, Sentinel Labs has observed a number of cases in which the threat actors have demonstrated their ability to overcome operational hurdles.