Executive Summary

• SNS Sender is a script that enables bulk SMS spamming using AWS SNS, aka Smishing, a previously unseen technique in the context of cloud attack tools.
• The script author is currently known by the alias ARDUINO_DAS and is prolific in the phish kit scene.
• The script requires valid AWS SNS credentials compromised from an environment not subject to the SNS sandbox restrictions.
• We identified links between this actor and numerous phishing kits used to target victims’ personally identifiable information (PII) and payment card details.
• The smishing scams often take the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery.

Overview

A common thread between businesses and threat actors is that both are moving workloads previously handled by traditional web servers to the cloud. SentinelLabs has identified one example of this in the form of SNS Sender, a Python script that uses AWS Simple Notification Service (SNS) to send bulk SMS messages for the purpose of spamming phishing links, aka Smishing.

SNS Sender is the first script we encountered using AWS SNS to send spam texts. The script requires access to an AWS account in which the service was already provisioned, configured, and enabled. By default, AWS accounts are subject to restrictions through a feature called the SNS sandbox. These restrictions can be removed if the customer spends $1 and provides a viable use case to AWS support, who manually review such requests. While other tools like AlienFox have used business to customer (B2C) communications platforms such as Twilio to conduct SMS spamming attacks, we are unaware of existing research that details tools abusing AWS SNS to conduct such attacks.

We identified links between the actor behind this tool and many phishing kits used to target victims’ personally identifiable information (PII) and payment card details under the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery. We believe this actor is using cloud services to send bulk SMS phishing messages, though they may still be testing the tool based on some questionable programming choices.

Script Analysis

SNS Sender is a script that enables bulk SMS spamming using AWS SNS. The script requires a list of phishing links named links.txt in its working directory. SNS Sender also takes several arguments that are entered as input:

• A text file containing a list of AWS access keys, secrets, and region delimited by a colon
• A text file containing a list of phone numbers to target
• A sender ID, similar to a display name for a message
• The message content

The send_sns_message function sets up the AWS boto3 client–an interface between the Python script and the AWS SNS backend–to send the SMS messages. The boto3 client variables are obtained through the arguments that the script user provided.

The sender ID variable is an interesting inclusion. According to AWS documentation, this variable is optional and is supported in some countries. In the United States, carriers do not support sender IDs, whereas in India, they are mandatory. The inclusion of a sender ID contrasts with the actor’s association with USPS-themed phishing kits targeting Americans. The oversight may indicate the actor is not familiar with this exception and likely resides in a country where the sender ID is commonplace.

SNS Sender establishes a while loop that iterates through the list of AWS credentials and regions. The script replaces any occurrences of the string linkas in the message content variable with a URL from the links.txt file, which weaponizes the message as a phishing SMS. The link is selected randomly using the Python random library’s choice method.

The script tracks how many AWS access key pairs have been accessed through the a variable and how many phone numbers have been used through the y variable, which are initialized as 0 and incremented by 1 each time the loop runs. Each message is sent using the credentials from one line from the AWS access key pair list, and the tracking ensures that the next line is accessed for the subsequent message.

To run at scale, the list would need to be incredibly long, and likely repeat access key & secret pairs, making this a coding method with questionable efficacy.

Phishing Kits

When investigating the handle ARDUINO_DAS, we identified more than 150 phishing kit files containing references to the actor. More than half of the kits are USPS-themed. The assets in these archives are similar in name to the URIs present in several recent Smishing campaigns using a missed package delivery lure. We believe that the actor abandoned the ARDUINO_DAS handle in 2023 after accusations that the actor scammed buyers. However, some recently circulated phishing kits still reference this handle, which may make it an artifact of actors using the phishing kit.

Due to the link between ARDUINO_DAS and USPS phishing, we explored several active campaigns circulating through early January 2024, hosted on hxxps://usps[.]mytrackingh[.]top and hxxps://u-sipsl[.]cc. Both sites host a USPS-themed phishing site with a flow like:

1. Landing Page: Explains to the visitor that their USPS package is unable to be delivered. The “Click Update” button leads to the next step.
2. Tracking Page: This page looks like USPS tracking details, but it prompts the victim to enter their name, physical address, phone number, and email address.
3. Card Verification Page: This page prompts the user to enter a credit card number for a $0.30 redelivery fee.
4. The server forwards the details to a card checker, which is likely run through a Telegram service.

Conclusion

Actors are continuously finding new tools and platforms they can use to conduct their attack of choice, and SNS Sender is no exception. Spammers have used mega tools like AlienFox and Predator to target bulk mail services as well as business communications services. Other researchers have detailed which APIs have been used during in-the-wild AWS SNS abuse attacks, as well as enumeration routes actors may take to verify a targeted environment’s SNS capabilities. SNS Sender provides a glimpse into how actors conduct these attacks.

SNS Sender represents a more narrow approach that relies on the actor having access to a properly configured AWS SNS tenant. Using AWS presents a challenge for this actor: AWS does not allow SMS notifications via SNS by default. For this feature to work, the tenant needs to be removed from the SNS sandbox environment. This is an update from previous research where AWS automatically allowed accounts to send to 10 destination numbers while an account is in the SNS sandbox.

Organizations using AWS SNS can protect themselves by reviewing the SNS documentation for the latest information. AWS has shared guidance for organizations to learn more about the SNS sandbox and how to change sending limits. Identity and Access Management (IAM) administrators should review identity best practices to optimize their organization’s security posture.

Desire for recognition presents operational security challenges for actors developing tools for the opportunistic cloud hacking scene. The actor including their handle in the script is ubiquitous among cloud hack tools, enabling researchers to form a point of attribution even when delineating the tool families becomes challenging due to extensive overlap.

Indicators of Compromise

8fd501d7af71afee3e692a6880284616522d709e – sns_sender.py, SNS Sender

Phishing URLs

hxxps[:]//perwebsolutions[.]com/js/
hxxps[:]//usps[.]mytrackingh[.]top
hxxps[:]//u-sipsl[.]cc

Phish Kit Archives

01b82c779de9ef59ecd814d6131433f7b17d7eb0
03329461d8003aece83db2c124b5c2769dd0300e
03b0cc3f1576d0d719f5ac5dbba582a9c10e64e0
040e07a1c4cbc7eb9fb2a8ecfb865c0a2f4db5b9
04676e36b9e11f32fd675e96dd721a5a215a0641
0544db064ecb8fd8f36e96ef31d031447011c711
0547074a7cb42a67a933d70c302b626f4e10a86e
09ddd1b6f3dc1323ad86d458da05f5be605c8e7a
0a8ab120e03ed49e18ce3246b9d00f547fd9432c
0bb8a3a478d1143a04fb8abd8aa9c116282cc700
0eaa126cf4414684763b415aabc08e262ee7c194
0fb6fa2855a39f7010d3a1bcc0c08e739747785c
1024d7c1a10e94d0f926cff649a9bd9a0c5df6ba
103a49c6c4f71ab5bbcaa01df89aef80e0c90229
106b42a1a6401f6ff3cb38f66d0668ac22fbc59c
10fe02acfa1053210387bc312f1ff9529eaeba35
138a00f5e6ef81560cdfe25f2ab087c24e839efd
14ea8aa63539498773bb0d4bea5fbede05f1c17d
17a2515096e6afe5976f57887c89d3efe285ed06
1a97f72dedbdf13b13baa4c535398af25a78a28e
1b1940f128bb4f3420ebc4b5ab1a7b165e70003b
1d0a54f030e8b68bbf1256811fbb4a284ce31fda
1e85b4cf222387cddc0f2977d5c9f4a5eb03db06
1fa655639ee1f7d9c8e3157346f65d351d4b3450
1fb3a8a17123f82bf39ae93ede40273f155d5fa1
1fe0823655c30cabf51816ed1048f647172d29c8
20813f948849a05f84ed1b6a707ffc6965d17c1e
25dd30bda5bbfa7af884c0d3a71857b6abcb8222
27b6aaa536200b085d611af07b0c05df8a856eb8
29a4771a04afce2b789fe34b42a12d2fa65073ab
29d49c1d21c9e97c757db81db594e55b15587f98
2ac1467e567bc6e950b8aee96d898b71f9cf5849
2c62c5f3e4166be99bf985a0c5f08cfe5795221d
2d4f45cdfe0793431e0134376b309f1707a4e2e6
2e9bb5c725eee402a36d64f63e07f72451eaec03
319569a20fdaf2fa356f6e33e575a5a613da79b2
32a21398869e2e221552da49fe1d4beba11ad2ca
342d6e453f6a02c43ca4dee045f89cbdaa97926c
357df6a8740bca2b81b62a3a429b2fef5cc883a8
38fcec4299789a1ba16099df0842aa196c34dde6
3b15bf62091a80ec32a2c3af92da5115641cf13b
3ba42572bd49882280306fc72759016c1ea90e7c
3c6dfef72f703bd8a2779a40cef39c4eb2305e69
3d920ba992668bbb303a6680251c54c928fec988
3f31c8c8bf2acdbb3cbe792b2728b3a2eadccaec
3fc724ee8958f941168e16e06ed8f0eccffacde7
403ed75a0a86783a39e65aac0ca8d69d43f7a562
40840c0b6bd9a6a25dd864e7812cb1ee499b10bf
45a39f3af4ca67dea1f920a7bd03fe43b4b38bec
492a0031807ea7defcfb6a0be058580adac88345
4aa1f81a313c991532379f68808a59fdbecef2de
4c95a04759f5edc679122c013d2bb2570cef78dc
4cdbc5d865172d4026a624f0aa56959875ba562c
4d8bcefef73e03784fd104b8cec8bb2e3b47c89b
4f636146bc6661795a4fbde68c5ca5b48e4a462d
508d218b811aaea176b51f577a2cb74ff59ddf6e
50e6703a85b4e72834cef4438f29777c0e73af54
533ba3e5bacf6c982cc827b6aef62817897cf8ea
53c26c8f577e45ba188e18b89da4b54ff41970d0
563bc88fd217b1af0301e7eec2b03051a7236054
56d51c8d5959d33ba4c52643a6436380e4f9fd8b
589a185002c75260b66a29a21939a751d1b49585
5a61394c2b1b0da534a348ecd714810a57194574
5a6f197b77317d5d80dbe59984ccffa11cbc28ac
5aae678fdaada1e58e88fe9a8eabfddfc1fafed1
5bc0e77c722c8b973e8d2627002da3503e26dbde
5dc5dc2206059359df9bc5056dca634b8ca13004
5fe779032a8edf0866832903aac4caa4c22d65cc
60077d66f395c7af28537338bd8fed0e5f108617
601c2e36a2f284ef3bb4752b364da53afe480537
60d209585249f32d0ad24ca295911729d8f56496
64a8d7093ed1f3737901110118c768fb9ded4882
64cb6b72523df13628d2f43f400c719a556c5d86
658a6fe9f5700426d2a6b85dc035ba54b847eede
6594a9357d39e377032fc2b5094ee2f68248bffe
687f843a50e75ea74b8c51487356ee2b1ebfe359
6911cb39a03184324406f79042b648b8ed89c2d9
6c1eefaba836d8a4f86ab8cc7d9a514f045827bb
6cd850c489930ef8d2438174ab38d4c33bc70c45
6d0e9ce56f99c87d9d70e0522b96c625783aece2
7935a5760e10976d9eff013735c303069c669e72
797acd73e43b3f56961d0c687d86009fec832aee
79f93db9c9b5f42c7b26b79c926eb3dfeaee3571
7c53c7119bf6be6c5b149a1fdcb2c22b39bc1470
7c6d96174246fe907a1cb7fbe0f2592c1f8b48b7
7edcdc353071b1c44ce4a8ac33670378a86eb1ba
83e8e7da62463b79970442d2b0de2eccf36450f7
847bb302b6107ac93a669c09552ca158a1440596
87091170ae9ec6e0641d1e689a22e11324e2e4c6
87093850d8084a9a1b1881e0959acf41fcf8799c
87b41c7f499be3b765628874b37d2d0f84d53517
88dfbd8036b122a1efa32b222f985447c7c80b41
8952fbe59931daba401f615bf06b90547b6171a7
8ac6dd99742dd328b690fb6f0552f2c4df2566c6
8bc41965baba7f5e25d4bbb0519c1e4c573734c5
8f06a9204f9a354cdf4dbf4c3ae870d5a386de59
9004df92c9a9427767fdca02b9a1378cff42dbce
91065e8ab12e9fce202c0eac0290cb1bd6c46ae2
912a376b255e3b873a73767679e0fbe9a1b01446
91562cad5eb7a9568190fa4b84da4de50ed3d274
95197a29d05d2043771bc97a5ded6086f6dfbbd2
95e707b5f9257913a36fb276d25e7312a9b86156
97fba04a848da3c09bd906b6b3adb4aa9031e471
98b85e3e2bcff8b5032ddbb9758174dec2bacf58
9954725c56a9060c90b8d5cd0483fc6808f39bd1
99d35595f41a9be3fc077d37599447c096ce66cf
9a2ac6259c2707b34546bee8b5a4eec677716299
9c4593c93cc5a5d7712bee10574823ebca9f6674
9f2faa971f0f4fd783e34d11cba67b261b54cc5c
9f9fbf77fd4c3aeb1542589efdc45d4e328da56c
a19ac9df01a0bc64e636054b0a728e024ade61e9
a2163de2f5056d64a27e96a73f7858b79d47ad06
a38087ce0515cd30fb3580ba12840bc610429649
a7ec178adabbb8eb533a81c658ecce56a9e697da
ab9baecfdf85033e65d59652e666b7328cb0960d
abddb05ed3b75cae4354044bad05e5662cbfbab5
ad0d4cfcc7c35a9a96ad071a4863dbe8f83d87db
adf4765cb74c708496fa39c8c002e32b6f0c1e71
aebdd69f0bbbb8d0d3c231f0fbe1516edc5e0216
b212145149ca3f1c62e991bcf31357ecc8b17851
b2192b99736376f9e5705e81d3b55bce408e17a8
b26d632d14e91634ba01df0b3b18907657025563
b5d8b89c88f32e2c0a9166f48e87f853a497b667
b66c21bb8ef8ffa3143f3a6bae2c67f14eef069a
b6e3c52c1bd309f596b4ba50d0f7487b66bd5701
b7420fb4774e755bdb3062d12eb750687c115a3a
b7a6780990590ac3ebb632b9198b63531d645129
b841b4ae0629a5336356bce88794e0744f72f98b
ba5d94f8852f5cdee14e2bf8e1f0eb1cf599ecfb
bc0e3f1c5b323daf31ecff178c620be0c03efb64
bc3ebc37a77acef15b827e4ee43aeb839bc5605d
be0ca87b74a345d62814cad3916133e3e655acc6
bf9c85e3ed9a3f0a51eeda6284be24b507a5770f
c117393f640ccd1d5fa5b002fcc3803498b61a2d
c283818259bceaddfd62554fdf37493d413b9b84
c547caad7d7517b2026e3c17461c249a925460d3
c60830bac782f58c61a81821da8153f639c86a74
c92c68b12ba817df7eb83666bd478466cb1c423a
cabbe92c9b5acb779f9fb76b1f8e3ed77a44935d
cb27a59e95c5d1b81219ba1cae4225f7340b16f2
cc4306140f14bcec70f103f4213e96e24d065381
ce701e5c639158563455c28bc39efd2051196932
cea7151a8260b9e48b687d40a9062ad361efed2d
cf4872e3e9f580b1865f68bae6b31bca0f0e22e6
cf7f11b4a39792531118058bd1c8ba2a2cabc486
d71c9f3d3aba149d13d7434731423c164cf2f002
d77c1f97339ba891286c10f6456a1e7f44b3c3bb
d78275c82d2f10ba5ed6bfbfec37686a7646d8ea
dc7fd807e8c9fc10185dcc47bc14f7460a4228b3
dd682090d3815b52cf74b22280d1b8db02ef339e
df66269b6826273650716524219dd83cf0302dc4
df7ee28ca069f798489cb4dc2ff1295bb6377a6f
dff37819d805c0fa99f11a466f583f2f752af8b0
e2498ab48872162bab97e7a5737376cec2a5b401
e7dc9e8f82cab9de0ec3b92693cdca726c5d72a6
e95528bd91158bab9d1e998969951209f6d8a3b6
ea4c4495ac7d68543cb423d34704e8fbfd595f6b
eab2f2b4a924397d22ecd1a6e8758de585e9fdcc
ee7105ca1065b6f0f6ce4b041b1a0a95b5678790
eefcbc6b32fdf7167db0b9a455b3c8c0f8d4b58d
ef5a5d04dc048a3c1f6a415be1ad74e1478b802e
ef8b8d215b4cc107495b3957fbedd2317f642cd9
f01c586c97d68847d1f373f7fd45444af26aff7a
f28b3d223a0c351f70ec0c7680e80083c232a470
f351bd5595b1eb2196f5c2ef1c519a7a8a7967dc
f35fd34a90c7a9b827c1d9417b8f088e8302ba01
f3b5e4840139ab0465b3c432d19bae1365e923af
f5b1256e407fb37d44a54ba29dc6fd4815cfde55
f754e4a59c49c0b3e653fdd8fdc04078810524dd
fae99902bef8011459926e4a69b85ae2cf0c0914
fc9d7c59645450be5887f938aaacbca2b0b3f1f9

By Aleksandar Milenkoski and Tom Hegel

Executive Summary

• Over the first quarter of 2023, SentinelLabs observed a campaign targeting users of Portuguese financial institutions conducted by a Brazilian threat group.
• The campaign is the latest iteration of a broader activity nexus dating back to 2021, now targeting the users of over 30 financial institutions.
• The attackers can steal credentials and exfiltrate users’ data and personal information, which can be leveraged for malicious activities beyond financial gain.
• The threat group simultaneously deploys two backdoor variants to maximize attack potency.
• To ensure uninterrupted operations, the threat actor has shifted its infrastructure hosting from IaaS providers implementing stricter anti-abuse measures, such as a major US-based cloud provider, to Timeweb, a Russian IaaS provider known for its more relaxed policies.

Overview

SentinelLabs has been tracking a campaign over the first quarter of 2023 targeting users of Portuguese financial institutions, including government, government-backed, and private institutions. Based on similarities in TTPs as well as overlaps in malware implementation and functionalities reported in previous work, we assess with high confidence that the campaign has been conducted by a Brazilian threat group. This conclusion is further supported by the presence of Brazilian-Portuguese language usage within the infrastructure configurations and malware implementations. We refer to the campaign conducted by this threat group as Operation Magalenha.

The threat actor deploys two backdoor variants on each infected machine, which we collectively dubbed PeepingTitle. Based on overlaps in code and functionalities, we assess that the PeepingTitle backdoors are part of the broader Brazilian financial malware ecosystem – specifically, of the Maxtrilha family (named by the then-used encryption key) first observed in 2021. We therefore assess that Operation Magalenha is the latest iteration of a long-standing activity nexus.

Operation Magalenha is characterized by changes in infrastructure design, and malware implementation and deployment. The threat actor behind the operation deploys two PeepingTitle variants simultaneously on infected machines, aiming to maximize the potency of their attacks. Further, to ensure uninterrupted operations, the threat actor has strategically transitioned its infrastructure hosting to Timeweb Cloud, a Russian IaaS provider known for its lenient anti-abuse policies, diverging from primarily relying on providers implementing stricter measures, such as DigitalOcean and Dropbox.

The PeepingTitle backdoors are implemented in the Delphi programming language and feature spyware capabilities giving the attackers full control over infected machines, allowing activities such as monitoring window interaction, taking unauthorized screenshots, terminating processes and deploying further malware.

Many of the TTPs we observed relate to those discussed in previous research attributing them to Brazilian threat actors that target users not only in Portugal but also in Spain as well as Central and Latin American countries. These TTPs include the use of Delphi-implemented backdoors, URL shorteners and public file hosting services for hosting malware, and archive files and VB scripts as part of the infection vectors.

Leveraging its malware arsenal, the threat group behind Operation Magalenha can steal credentials, exfiltrate users’ data and personal information, and achieve full control over infected machines. This opens up further possibilities for the targeting of individuals or organizations, or for the exploitation of that information and data by other cybercriminal or espionage groups.

Infection Vector

Brazilian threat actors are known to distribute malware using a variety of methods, such as phishing emails, social engineering, and malicious websites delivering fake installers of popular applications.

In the context of Operation Magalenha, the infection starts with the execution of a malicious VB script, which primarily serves to download and execute a malware loader and distract users while doing so. The malware loader subsequently downloads and executes the PeepingTitle backdoors.

The VB scripts are obfuscated such that the malicious code is scattered among large quantities of code comments, which is typically pasted content of publicly available code repositories. This is a simple, yet effective technique for evading static detection mechanisms – the scripts that are available on VirusTotal feature relatively low detection ratios.

When executed, the VB scripts first open a TinyURL to user login sites of Energias de Portugal (EDP) and the Portuguese Tax and Customs Authority (AT – Autoridade Tributária e Aduaneira). Based on this script behavior, we suspect that the threat group behind Operation Magalenha has been delivering the scripts through EDP- and AT-themed phishing emails, aligning with a known tactic observed among threat actors targeting Portuguese citizens.

The VB scripts serve a twofold purpose for the threat actors:

• Act as a smoke screen distracting users while the scripts continue to download and execute the malware loader.
• Enable the theft of EDP and AT credentials if the users enter the credentials after the malware loader has executed the PeepingTitle backdoors. This may provide the threat actor with users’ personal information. We note that users may login to the Portuguese Tax and Customs Authority in several ways, including using government-issued credentials for citizens to access not only the online services of the Authority, but also other services provided by the Portuguese state.

 

The scripts then download to the %PUBLIC% folder an archive file that contains a malware loader. They subsequently extract the loader and delete the archive. Finally, the scripts execute the malware loader after a time interval of, for example, 5 seconds. The malware loader downloads and executes two PeepingTitle backdoor variants.

PeepingTitle

The PeepingTitle sample pairs we analyzed are Delphi executables and have compilation timestamps in April 2023. The samples share some code segments indicating that they have been developed as part of a single development effort. For example, both malware strains implement similar initialization routines, which involve evaluating the presence of the wine_get_version function in the ntdll.dll library file and establishing persistence by editing the  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key.

Similar to other malware used by Brazilian threat actors, the PeepingTitle backdoors contain string artifacts in Brazilian-Portuguese language.

After initialization, at one second intervals the first PeepingTitle variant monitors the titles of application windows that have captured the mouse cursor. The malware first transforms a window title into a lowercase string stripped of any whitespace characters. It then checks if the transformed title contains any of the strings from a predefined set of strings related to targeted institutions. The figure below depicts PeepingTitle monitoring window titles, when a user interacts with a new Google Chrome tab and the Task Manager application, and comparing them against predefined strings.

The predefined strings are defined such that they are part of the browser window titles when a user visits the online resources (i.e., sites or specific online services) of predominantly Portuguese financial institutions or institutions with a presence in Portugal. These include government, government-backed, and private institutions.

The targeted sites and online services encompass a broad set of activities that users may conduct when interacting with them providing a wealth of personal user information to the threat actor, such as account registration, document overview, and credential input.

The table below lists some of the targeted institutions and services.

PeepingTitle string	Targeted institution or service
activobank	ActivoBank
aixadirecta	Caixadirecta (an online service of Caixa Geral de Depósitos, an institution owned by the Portuguese government)
articulares	Online banking sites for private users of various institutions
bancanet	Citibanamex (online banking site)
bancobest	Banco Best
bancoctt	Banco CTT
bancomer	BBVA
bankia	Bankia (currently merged with CaixaBank)
bankinter	Bankinter
bpi	Banco BPI
caempresas	Crédito Agrícola (services for corporate users)
caixaagricola	Various Mutual Agricultural Credit Banks
caixabank	CaixaBank
caixadirectaonline	Caixadirecta (a service of Caixa Geral de Depósitos)
canaisdigitais	Novobanco (online services)
caonline	Crédito Agrícola (online services)
citibanamex	Citibanamex
digitalbanking	Online banking services of various institutions
empresas	Online banking services for corporate users of various institutions
eurobic	EuroBic
homebank	Online banking pages of various institutions, such as Banco CTT and Cetelem
ingaccesoclientes	ING (login page for online banking)
internetbanking	Online banking sites of various institutions, such as the Portuguese Treasury and Public Debt Management Agency
itoagricola	Crédito Agrícola
loginmillenniumbcp	Millennium BCP (Portuguese Commercial Bank)
logintoonlinebanking	Online banking services of various institutions
montepio	Banco Montepio
netbancoempresas	Santander (online banking for corporate users)
netbancoparticulares	Santander (online banking for private users)
novobanco	Novobanco
openbank	Openbank
santander	Santander

When a user visits a targeted online resource, PeepingTitle sets the window title monitoring interval to 5 seconds, connects to a C2 server, and exfiltrates data in an encrypted form. The data includes a timestamp, the name of the infected machine, and the captured window title, also in an encrypted form. This registers the infected machine at the C2 server.

PeepingTitle implements backdoor capabilities that allow for full control over the compromised machines, some of which are:

• Process termination and screenshot capture: PeepingTitle can take screenshots of the entire screen.
• Staging of further malware: This involves executing malware placed in the %PUBLIC% directory, or first downloading malware executables from attacker-controlled locations to this directory, and subsequent execution. The staged malware could implement any capabilities the threat actor may need in a given situation, such as further data exfiltration, or interaction and overlay screen capabilities to bypass multi-factor authentication. PeepingTitle supports the execution of Windows PE images and DLL files using the rundll32 Windows utility.
• Reconfiguration: This includes restarting the PeepingTitle process, reconfiguring the window title monitoring interval to 1 second, and configuring the image scale of the screenshots that PeepingTitle takes.

In contrast to the first variant, the second PeepingTitle variant registers the infected machine at the C2 server upon execution: The malware exfiltrates data in an encrypted form, which includes the name of the infected machine and volume serial numbers. The malware then continues to monitor for changes of the top-level window and takes a screenshot of this window whenever the user changes it.

PeepingTitle sends the screenshot to a different C2 server than the one used for registering the infected machine. The figure below depicts PeepingTitle monitoring for changes of the top-level window, when this window is first of the Task Manager application and then twice of a new Google Chrome tab – the backdoor will take a screenshot of the Google Chrome window only once.

With the first PeepingTitle variant capturing the entire screen, and the second capturing each window a user interacts with, this malware duo provides the threat actor with a detailed insight into user activity. The second PeepingTitle variant implements further features, such as downloading and executing malware in the form of Windows PE images, process termination, and malware reconfiguration.

Infrastructure Analysis

Analysis of all infrastructure associated with the threat group behind Operation Magalenha revealed noteworthy changes in design for the operation. First, it is useful to understand the threat actors’ infrastructure design prior to the latest 2023 activity.

Early to mid 2022 associated activity centered primarily around abusing DigitalOcean Spaces, the S3 compatible cloud storage service, for hosting the malware used at the time – acting as download locations for target malware delivery. Specifically, bucket name and example URL originally used include:

Bucket Name	Example URL
Audaction	https[://]audaction.fra1.digitaloceanspaces[.]com/pass/alma32.cdr
Azuredatabrickstrainne	https[://]azuredatabrickstrainne.sfo3.digitaloceanspaces[.]com/Workspace.zip
Believeonline	https[://]believeonline.ams3.digitaloceanspaces[.]com/acoustic/p0.cdr
Cleannertools	https[://]cleannertools.fra1.cdn.digitaloceanspaces[.]com/word.ppt
Dssmithcheck	https[://]dssmithcheck.fra1.digitaloceanspaces[.]com/track01.sql
Fintecgroup	https[://]fintecgroup.ams3.digitaloceanspaces[.]com/louse.msf
Ingretationcompatible	http[://]ingretationcompatible.sgp1.digitaloceanspaces[.]com/board.zip
Jackfrostgo	http[://]jackfrostgo.fra1.digitaloceanspaces[.]com/thems%20(4).cdr
Marthmusicclub	https[://]marthmusicclub.sfo3.digitaloceanspaces[.]com/betunios.cdr
Munich	https[://]munich.ams3.digitaloceanspaces[.]com/Minimize.jpeg
Partyprogames	https[://]partyprogames.ams3.digitaloceanspaces[.]com/bets.cdr
Pexelsfiles	http[://]pexelsfiles.ams3.digitaloceanspaces[.]com/pexels.ppt
Pratoonecooltool	https[://]pratoonecooltool.sfo3.digitaloceanspaces[.]com/national.ppt
Ryzemamd	https[://]ryzemamd.ams3.digitaloceanspaces[.]com/amd.cdr
Ryzenbootsector	http[://]ryzenbootsector.fra1.digitaloceanspaces[.]com/ryzen%20(3).zip
Starbuckplaylist	https[://]starbuckplaylist.ams3.digitaloceanspaces[.]com/fiis.cdr
Wekkword	https[://]wekkword.ams3.digitaloceanspaces[.]com/alphabet32.cdr
Wordcupnewsrocket	https[://]wordcupnewsrocket.ams3.digitaloceanspaces[.]com/INT64.cdr
Wordmusic	https[://]wordmusic.ams3.digitaloceanspaces[.]com/bestmusic.cdr
Workingprofstatus	https[://]ams3.digitaloceanspaces[.]com/workingprofstatus/anime.cdr

In mid 2022, the threat group experimented with using lesser known file hosting providers, and in one case Dropbox. One provider that became increasingly popular was Timeweb, the Russian IaaS provider.

Moving into 2023, the threat group shifted from primarily using DigitalOcean Spaces to Timeweb for malware hosting and C2. Today, the actor continues to use Timeweb Cloud S3 object storage similar to how DigitalOcean was abused. Note that limited Timeweb use overlapped with DigitalOcean use since mid 2022; however, the change appears more strategic since the start of 2023. The shift away from DigitalOcean was due to increased difficulty in hosting the malware without campaign disruption.

Following this design change, a new cluster of activity can be built and linked to the same actor. The cluster makes use of new C2 servers, Timeweb Cloud malware hosting locations, and of course malware samples.

One associated server stuck out as unique – 193.218.204[.]207, which is on AS211180 for OKLAKO. Of note, the server has open directories showing a file structure and provides us some insight into backend server design and a small number of victim hosts.

Further clues point to Brazilian-Portuguese-speaking threat actors, such as mdfiles.php returning ARQUIVO ENVIADO! (FILE SENT!) to beaconing hosts. Additionally, the publicly available file (SHA1: dff84020be1f4691bed628d300df8a8b12a4de7e) contains Base64 data, which can be decoded to show the configuration file set to beacon to 193.218.204[.]207 while also containing Brazilian-Portuguese text for VARIABLE IS OK and UPDATE.

Conclusion

Operation Magalenha indicates the persistent nature of the Brazilian threat actors. These groups represent an evolving threat to organizations and individuals in their target countries and have demonstrated a consistent capacity to update their malware arsenal and tactics, allowing them to remain effective in their campaigns.

Their capacity to orchestrate attacks in Portuguese- and Spanish-speaking countries in Europe, Central, and Latin America suggests an understanding of the local financial landscape and a willingness to invest time and resources in developing targeted campaigns. As such, it is important for organizations and individuals to remain vigilant and take proactive measures to protect themselves from this threat.

Indicators of Compromise

Below is a list of shortened URLs, SHA1 hashes (of scripts, archive files, and malware samples), and URLs (malware hosting and C2 server locations) associated with Operation Magalenha and related activities conducted by the threat group behind the operation dating back to 2022.

Shortened URLs

https[://]tinyurl.com/edpmobilecliente
https[://]tinyurl.com/dashboaraudicaofastaccoun
https[://]tinyurl.com/edpareaparticulares
https[://]tinyurl.com/miareapersonal

SHA1 Hashes

001334b045e0d1e28c260380f24c1fa072cb12eb
0131862cd70303d560d47333cce4d2b58505222e
045d5be69b5ba4ffb4253b029cc01d827706c75a
0716415bc910e4a9501d43ac03410288a4e860d4
071c53099decea6d9117e4ee519470140c68c7e9
0a202ca568087eabeb741648be4255d834ab14b1
13b370f368c1df2d30bb8fdf96d84e66e07c8a79
17fe9cdd20a64fec5d471f6878a462a2ef0af212
1a5ad2fb1d4fc4971286bdd5abf669722d7e4c19
1e65c104c765e6e46887f7de04cc14f52dbdfe98
208572a9f44d5349382c58d51d2d14532bc87bb3
266a1c4b8bd95595dcdd46bcb409ee773bd2f407
268d93bfd3f0a8a5cd76eea6311eb2a0b754a4e2
26be17aef483d553c0e5678e35611b019acd28a3
280999b0490bbe06665d35f2cda373fa32bfc59c
2ee320533e687da7613721446dabceecafb940c1
3079bba1a2372282f6bb4a35706144d5b9800953
32d15771736bb5c3232c3fa68ee3da4161177413
35597059ae1f14f50d7fe8b1858525552f62da19
3a1e1294e894b9dd35edfdd59f67049729121619
3be8f26dbc49b8a2504c58de247b838888e15a17
418fabf734c0803f2686a41665f06525cfa3adbb
41ab10d5e057e714d8caad5855c115f5bef76097
42ee272c6bc93c5c0c47024f631350c23edc06fe
43a55a5954d56c4e9fe63cfdd6ab0c97766c9642
44da6f99de08e5193a64a89ce696d775248314d9
45304d8ae20e0fcaf975be64b7844c361ae61537
470e52d04a89318a868402617b2edd16e1a20613
483a4a7e4650502e36dacde33652bf6b62718822
48e77c8ab75d042d1526fe3cd40beeea5fff7794
494d166f7b052c7feaf5666062dcf54525873ac2
4fc26b033677b6a6dc77ae3c4451d3d4421bcc04
51be9fb55ff9606b0f4e887d332608f41533215e
52d06e3b0e3b91165bdba769a94710bbdad8d8d7
542b320b77bb3f826ee17009564613352e5a4911
5c9fc5902ced06f7068f95dfa7c25c1939be3f51
5e38e6a927309aac4679a6d63c1e01b3830ca7c7
5ee9c3e8ff35bc0435d0691112d7f101856d9a51
603ac1e61a39c74d5053ccedd6964ce5f9f365f3
62a1fd987b051586132b1d1752d78821139efb7f
62b1ef509f0f9dffa611f3addface8f91089b0c3
69beb59e75f70487edbbf997aba83b926674a355
6a43e8c05194e066b85845e454d41bf86e1ab376
6a977ae1ad3466f20f50e101b5a561ad3ffc3aa7
6c3d57a7b6631adbe3b6a2c2d88eef6593c51900
6e00ef494a5955df4802c078ae3ffc6c6abdcbd7
72b3be646f03a71e8a2632096ddf6638bc0141c9
7339585c17aaa96e93f971b64548666a3b09d1f9
738aff3e88f498c3607eeadd37b95791acf40196
76b1bb307e1489999da725c2c9fac5b4581cb448
7992e075bc9de98e944930372f1768ccc08e429f
79ce7defeed60bba523bc3779cb9379435157f93
7bbe644df54723d7a48bef58a616a62559401d0d
7e82f8608c199eb32230dd2706c11b2e70ba13d8
7f3c5142f60cd36073b54eda77b38be754a5f7d5
824268bffde52dc44fedc254dc59ef559b7b2d17
830c4e2cc10bbf122882a177a3ea8e810b114c82
8752dab95747175bdb6cb7772cf4d11858049c9d
87ff9f5f3f4853d0c218ac36182fa18bc5e206d0
890c8ab68be8990deb26dab6f5c82f0a812b9fcb
8c62851c74dc2bd1077edfb7456f87b47199925c
8cc16c418764d26b15d41f713551a7d0f214ab4c
97bab3df5acbd1e4ad8b9a38cbbd80c297971490
9ab7bc8a9b4ccbc75903e78d96357e11dfd97535
9c997e9ee92209be186de2a4f9696122bdfbc46d
9eaa52e9f72f0b43648699a3a511d0a7c6ffcdd5
a0721a76cc8a0e44bf734206638ba013da809325
a28db721736fe5d6281c08b4f2f396da480eb170
a53b9e14f316a62e8c6c7a53a7c98158fda29533
a7c7233274e34b69b6c62caceebb19135f9034b2
acc753a084b8172981b3086122929eb4abde131a
afd5ccd6effb4eed6aec656a25ed869b954ee213
affcb29e3e8b510cab6b836672511bc738f2d328
b0253186f56662ecfbebf95cc91a887e161e32d3
b427cf74c820985cc3cedef68b9953c2e83631e1
b50ced2769e74050b130fbcb28c6d80880cfe612
b7ce5ab969a2088a7d6c401c72eeff63173ce491
bed147a98e6bff36cf3bccfc7640d444040e1f0c
c3aa8423bba6f01528f822eddb692ae56aa1be6b
c43f60bf6c24dd6c290b40afb26ea60094688a73
c4c59fc68f225bdec7e22bead289fda2503fb6b0
c5239a9994ca54ac08e45ce7443d9226151d0b36
cd5892ca5b21999799a04d72fb93dc815f7227aa
cdd2f94c542bf369702271cd83c6aa9ff2e595ea
d1dca2dc87376c833644a04c74e4f102565e810a
d2e078450e479a6cd3b1d95597fd2204fd370c42
d86aabf4713b18718421b5c0fd4084143d4f7f08
db9521169aaad154e31d4e573414459e26b57900
dc04ad9e1d8022a06a28d0522b2a1988c8ed4bab
dcdf79b172f340dc173d038d05c7eb826c55c3dc
dd46a9c61ad4aee2c865a4144733d1daf7d6bc79
dec59a76e8f1703d15fcb7f7532c759aaf717165
df0a90c8890f83f760e41c853d9033d3971194e9
df99c6fabdf6fc664e9c466af8a2986af0bfbfb8
dff84020be1f4691bed628d300df8a8b12a4de7e
dff84020be1f4691bed628d300df8a8b12a4de7e
e6215a2e0c4745eef724019cab07c04dac75725e
e9f9a5f559366a8e66f81d43ecc05d051b6e3853
eaa2c945b22f5c1b8bfbd6d8692826d841fc9185
f00493ea6b1a2cb50c74feb3af65bfaabf327a07
f534e0a04ceb6f3e1a10209f416675e9df127afc
f5a99ecd7847cc79210d5df505e222828ad63199
f66d71e1ab5c85ed43d21ff567ee3369fe97b6ed
f72ade72050a6ce63224aad2c7699160705b414c
f9db9f525f2bf09f2b85c91ea09f6251e00e2a95
fbcd460acbe8c0919f61946ac0c9ee4d8885075a
fff1b8681eadf590034f61ddd69ba035c6980e12

URLs

http[://]128.199.228.142/int/publi.php
http[://]128.199.228.142/itest/envd.php
http[://]128.199.228.142/lgimp/envd.php
http[://]128.199.228.142/vcpu/
http[://]128.199.68.249/libex/track01.wma
http[://]128.199.68.249/libex/track02.wma
http[://]157.245.44.246/cliente/IRS.php
http[://]157.245.44.246/fex/basf.msf
http[://]157.245.44.246/fex/coldplay.msf
http[://]176.57.221.92/cdd/
http[://]178.128.174.182/board/alf.cdr
http[://]178.128.174.182/board/bets.cdr
http[://]185.104.114.253/alp/
http[://]193.218.204.207/int/publi.php
http[://]2.59.41.206/fork/Material.psd
http[://]213.226.124.48/dboard/Material.psd
http[://]45.95.234.10/lofi/index.php
http[://]81.200.152.38:9000/arquivos
http[://]85.193.80.19/rpt/bdb.jpeg
http[://]85.193.83.224/dash/support.psd
http[://]85.193.95.154/odc/
http[://]85.217.170.140/may/
http[://]87.249.44.177/partic/Material.ppt
http[://]89.223.68.22/sonic/movie.wma
http[://]92.255.76.181/mag.psd
http[://]92.53.107.216/shv/
http[://]94.156.35.182/jn/
http[://]94.228.121.36/suport/
http[://]ingretationcompatible.sgp1.digitaloceanspaces.com/board.zip
http[://]jackfrostgo.fra1.digitaloceanspaces.com/thems%20(4).cdr
http[://]pexelsfiles.ams3.digitaloceanspaces.com/pexels.ppt
http[://]ryzenbootsector.fra1.digitaloceanspaces.com/ryzen%20(3).zip
http[://]s3.timeweb.com/41907bc4-clarentis/Steam.cpp
http[://]s3.timeweb.com/41907bc4-clarentis/artinos.cpp
http[://]s3.timeweb.com/41907bc4-clarentis/balarius.cpp
http[://]s3.timeweb.com/41907bc4-clouddeabril/Belcar.cpt
http[://]s3.timeweb.com/41907bc4-clouddeabril/almar.cpt
http[://]s3.timeweb.com/41907bc4-maiotronicelevation/asen.ptt
https[://]ams3.digitaloceanspaces.com/bucket2023/andorra.ppt
https[://]ams3.digitaloceanspaces.com/bucket2023/belize.ppt
https[://]ams3.digitaloceanspaces.com/workingprofstatus/anime.cdr
https[://]ams3.digitaloceanspaces.com/workingprofstatus/brigth.cdr
https[://]audaction.fra1.digitaloceanspaces.com/pass/alma32.cdr
https[://]audaction.fra1.digitaloceanspaces.com/pass/alma64.cdr
https[://]audaction.fra1.digitaloceanspaces.com/pass/best32.cdr
https[://]azuredatabrickstrainne.sfo3.digitaloceanspaces.com/Workspace.zip
https[://]believeonline.ams3.digitaloceanspaces.com/acoustic/p0.cdr
https[://]bucket2023.ams3.digitaloceanspaces.com/belize.ppt
https[://]cartezyan.fra1.digitaloceanspaces.com/Player.wav
https[://]cleannertools.fra1.cdn.digitaloceanspaces.com/word.ppt
https[://]digitalsurfareago.ams3.digitaloceanspaces.com/basf.msf
https[://]dssmithcheck.fra1.digitaloceanspaces.com/track01.sql
https[://]dssmithcheck.fra1.digitaloceanspaces.com/track02.sql
https[://]fintecgroup.ams3.digitaloceanspaces.com/louse.msf
https[://]fra1.digitaloceanspaces.com/dssmithcheck/track01.sql
https[://]joiasdofuturo.webcindario.com/hs/config.php
https[://]marthmusicclub.sfo3.digitaloceanspaces.com/alamis.cdr
https[://]marthmusicclub.sfo3.digitaloceanspaces.com/betunios.cdr
https[://]munich.ams3.digitaloceanspaces.com/Minimize.jpeg
https[://]partyprogames.ams3.digitaloceanspaces.com/alf.cdr
https[://]partyprogames.ams3.digitaloceanspaces.com/bets.cdr
https[://]pratoonecooltool.sfo3.digitaloceanspaces.com/inter.ppt
https[://]pratoonecooltool.sfo3.digitaloceanspaces.com/national.ppt
https[://]ryzemamd.ams3.digitaloceanspaces.com/amd.cdr
https[://]s3.timeweb.com/41907bc4-chronocromdocrom/integra/conf.txt
https[://]s3.timeweb.com/41907bc4-secapril/brexit.ppt
https[://]starbuckplaylist.ams3.digitaloceanspaces.com/fiis.cdr
https[://]starbuckplaylist.ams3.digitaloceanspaces.com/vieww.cdr
https[://]superchat.fra1.digitaloceanspaces.com/ATX.cdr
https[://]superchat.fra1.digitaloceanspaces.com/Brave.cdr
https[://]superchat.fra1.digitaloceanspaces.com/DuckDuck.cdr
https[://]superchat.fra1.digitaloceanspaces.com/pse.cdr
https[://]wekkword.ams3.digitaloceanspaces.com/alphabet32.cdr
https[://]wekkword.ams3.digitaloceanspaces.com/boston32.cdr
https[://]wordcupnewsrocket.ams3.digitaloceanspaces.com/INT64.cdr
https[://]wordcupnewsrocket.ams3.digitaloceanspaces.com/rzFMX64.cdr
https[://]wordmusic.ams3.digitaloceanspaces.com/bestmusic.cdr
https[://]www.dropbox.com/s/dl/p2qd53cultjyw6y/Dividas.zip
https[://]www.dropbox.com/s/p2qd53cultjyw6y/Dividas.zip?dl=1