Cyber Security Threat Summary:
A report from Sentinel Labs has revealed the details of this campaign, shedding light on the tools utilized by the threat actor, the different methods of infection employed, and the techniques employed to distribute their malware. The analyst obtained information regarding the origin and tactics of the threat actor through the discovery of a server misconfiguration that inadvertently exposed files, directories, internal correspondence, and other sensitive data.

“The attackers use many methods to distribute their malware to targets, including phishing emails pretending to come from Energias de Portugal (EDP) and the Portuguese Tax and Customs Authority (AT), social engineering, and malicious websites that mimic these organizations. In all cases, the infection begins with the execution of an obfuscated VB script that fetches and executes a malware loader, which in turn loads two variants of the 'PeepingTitle' backdoor onto the victim's system following a five-second delay. "The VB scripts are obfuscated such that the malicious code is scattered among large quantities of code comments, which is typically pasted content of publicly available code repositories," explains Sentinel Labs in the report. "This is a simple, yet effective technique for evading static detection mechanisms – the scripts that are available on VirusTotal feature relatively low detection ratios." The analysts explain that the purpose of those scripts is to distract the users while malware is downloaded and to steal their EDP and AT credentials by directing them to the corresponding fake portals” (Bleeping Computer, 2023).

Security Officer Comments:
Sentinel Labs has observed multiple instances during Operation Magalenha where threat actors exhibited the capacity to overcome operational challenges. From mid-2022 onwards, the group transitioned away from exploiting DigitalOcean Spaces for command and control (C2), as well as hosting and distributing malware. Instead, they began utilizing lesser-known cloud service providers like Timeweb, which is based in Russia. Analysts speculate that this shift was prompted by DigitalOcean's rigorous precautions, which resulted in frequent disruptions to their campaigns and operational complications.

Suggested Correction(s):
Sentinel Labs has published a list of shortened URLs, SHA1 hashes (of scripts, archive files, and malware samples), and URLs (malware hosting and C2 server locations) associated with Operation Magalenha and related activities conducted by the threat group behind the operation dating back to 2022.

https://www.sentinelone.com/labs/op...paign-pursues-portuguese-credentials-and-pii/

Link(s):
https://www.bleepingcomputer.com/ne...a-targets-credentials-of-30-portuguese-banks/