Sentinel Labs‘ study exposing the threat actor’s tools, several infection vectors, and malware distribution techniques revealed this campaign.
A server misconfiguration that made files, folders, internal communications, and other information accessible allowed the analysts to learn more about the threat actor’s background and strategy.
The First Infection
The attackers employ a variety of techniques to spread the infection to their targets, including social engineering, phishing emails purporting to be from EDP and the AT, and bogus websites that look like these agencies.
Each time, a hidden VB script is executed to start the infection, which then searches the system and launches a malware loader. The “PeepingTitle” backdoor is launched into the victim’s PC after a five-second wait in two different variants.
According to experts, these scripts’ main goals are to divert users away from their computers while malware is downloading and to steal their EDP and AT credentials by sending them to shady websites.
Sentinel Labs thinks a single individual or team created PeepingTitle, a malware program built in Delphi with an April 2023 compilation date.
Two variants are dropped by the attackers as they intend to utilize one to record the victim’s screen and the other to watch windows and how the individual engages with them.
As soon as it locates a window that matches one of the hardcoded financial institutions, the malware collects all user input and transmits it to the threat actor’s C2 server.
PeepingTitle may also make use of Windows rundll32 to stage payloads from executables or DLL files, take screenshots, kill processes on the host, modify the settings of its monitoring intervals on the fly, and terminate processes.
Since the start of the operation, Sentinel Labs has seen a number of instances when threat actors have shown the capacity to overcome operational challenges.