• Wed. Oct 18th, 2023

“Operation Magalenha” Exposes Targeted Credentials of 30 Portuguese Banks

Avatar photo

ByEsme Greene

Aug 10, 2023
"Operation Magalenha" Exposes Portuguese Banks
Esme Greene
Latest posts by Esme Greene (see all)

Sentinel Labs‘ study exposing the threat actor’s tools, several infection vectors, and malware distribution techniques revealed this campaign.

A server misconfiguration that made files, folders, internal communications, and other information accessible allowed the analysts to learn more about the threat actor’s background and strategy.

The First Infection

The attackers employ a variety of techniques to spread the infection to their targets, including social engineering, phishing emails purporting to be from EDP and the AT, and bogus websites that look like these agencies.

Each time, a hidden VB script is executed to start the infection, which then searches the system and launches a malware loader. The “PeepingTitle” backdoor is launched into the victim’s PC after a five-second wait in two different variants.

According to experts, these scripts’ main goals are to divert users away from their computers while malware is downloading and to steal their EDP and AT credentials by sending them to shady websites.

‘PeepingTitle’ Backdoor

Sentinel Labs thinks a single individual or team created PeepingTitle, a malware program built in Delphi with an April 2023 compilation date.

Two variants are dropped by the attackers as they intend to utilize one to record the victim’s screen and the other to watch windows and how the individual engages with them.

As soon as it locates a window that matches one of the hardcoded financial institutions, the malware collects all user input and transmits it to the threat actor’s C2 server.

PeepingTitle may also make use of Windows rundll32 to stage payloads from executables or DLL files, take screenshots, kill processes on the host, modify the settings of its monitoring intervals on the fly, and terminate processes.

Since the start of the operation, Sentinel Labs has seen a number of instances when threat actors have shown the capacity to overcome operational challenges.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.