Operation CMDStealer: Financially Motivated Campaign Leverages CMD-Based Scripts and LOLBaS for Online Banking Theft in Portugal, Peru, and Mexico

An unknown financially motivated threat actor, very likely from Brazil, is targeting Spanish- and Portuguese-speaking victims, with the goal of stealing online banking access. The victims are primarily in Portugal, Mexico, and Peru. This threat actor employs tactics such as LOLBaS (Living Off the Land Binaries and Scripts), along with CMD-based scripts to carry out its malicious activities.

The campaign utilizes phishing emails in Portuguese and Spanish, and social engineering tactics to target victims. The emails exploit commonly encountered issues, such as transit infractions and taxes, to create a sense of urgency and legitimacy in their phishing messages. By posing as authoritative entities or government agencies, the messages are intended to deceive unsuspecting individuals and get them to disclose their online banking credentials.

Brief MITRE ATT&CK^® Information

Weaponization and Technical Overview

Technical Analysis

Context

The Latin American threat landscape primarily consists of financially-motivated malware, usually compiled into the final PE payloads. While deploying the final payloads, BlackBerry threat researchers saw a variety of techniques, such as abusing VBE scripts, ISO images, and MSI packages. In this case, the threat actor behind the campaign used CMD-based scripts, AutoIt scripts, and LOLBaS.

LOLBaS and CMD-based scripts help threat actors avoid detection by traditional security measures. The scripts leverage built-in Windows^® tools and commands, allowing the threat actor to evade endpoint protection platform (EPP) solutions, and bypass security systems. By utilizing these techniques, they can gain unauthorized access to victims' systems, extract sensitive information, and ultimately compromise online banking accounts and payment systems.

The geographical focus of this threat actor centers on Portugal, Mexico, and Peru, where a significant number of Spanish and Portuguese speakers reside. Their selection of countries is likely influenced by the prevalence of online banking usage in these regions, making them lucrative targets for financial fraud.

The first .CMD file set seen to use AutoIt in its execution was discovered at the end of 2021. This suggests that the threat actor was beginning its tests, naming these files “demo” or “test,” upon decompiling the AutoIt script into a human-readable script that supports the timeline of this attack campaign.

Operation CMDStealer Attack Vector

The infection chain begins with the user receiving a phishing email. These phishing emails are specially crafted to grab victims’ attention. In one instance, we observed one of the emails titled “Multa de Trânsito,“ which translates from Portuguese as “traffic infraction ticket.” Each email has an HTML attachment.

The data blob in HEX decodes to a slightly obfuscated URL address which upon cleanup translates to: hxxps[:]//multa-ansr-pt[.]fun/?hcBViJAi9EZSc3YQwxpEwfmD7xdG0IF34EWGHj6Q. This URL resolves to: 162.0.232[.]115 IP address. During the extensive analysis of the “.HTML” files, BlackBerry identified a large list of HEX-encoded URLs, some of which are listed here:

• hxxps[:]//factura61[.]click/2/?j5szsmo0bk8tOSQSMS4mmp1XtQrmbNYoCB2GBem8
  
• hxxps[:]//factura61[.]click/2/?vzlv9CZ1gnLrNIaWBJBhJNWRCt7IVXDDwVzOQhSs
  
• hxxps[:]//sunat-pe[.]fun/?D80gaUJDUfuLG6lodTSEi7qoqciBWk5xE5w81pJO
  
• hxxps[:]//factura61[.]click/2/?CTtBmkRN8KPXVTgUn1ArCPGb5WXTXTaT7etdD7TC
  
• hxxps[:]//factura61[.]click/2/?yqJl8r7henupax3WsUvITb0PuSw5sn7HyZWGMvDv
  
• hxxps[:]//factura61[.]click/2/?GxkVBvEBTFfSDqaFr8Yjw9kyKH01xRseHoF0DNQc
  
• hxxps[:]//multa-ansr-pt[.]fun/?UFqQBhFaXulvEfeTbI38FFDKRth1r2DWKOFqUI0Y
  
• hxxps[:]//multa-ansr-pt[.]fun/?l4mm0DEhDbJPYd5qAQmwst09TDTjjvYjiG7ByCvx
  

Opening the attached “multa_de_transito_502323.html” file triggers the embedded JavaScript and reaches out to hxxps[:]//multa-ansr-pt[.]fun/?hcBViJAi9EZSc3YQwxpEwfmD7xdG0IF34EWGHj6Q to pull down the next stage which is a compressed archive (RAR) file.

The archive file is typically titled with one of the naming schemes (a few are listed below):

• doc-Impuestos_<[0-9]{6}>.rar
  
• doc-Impostos_<[0-9]{6}>.rar
  
• Documento_Impostos_<[0-9]{6}>.rar
  
• Multa_<[0-9]{6}>.rar
  
• Impuestos-Documento_<[0-9]{6}>.rar
  

BlackBerry found different campaigns geofenced to each specific country. Threat researchers reported similar campaigns in the past targeting Mexico.

Weaponization

The contents of the previously mentioned archive include a single “.CMD” file typically titled from one of the following  filenames, (but there are other names):

• doc-Impuestos.cmd
• doc-Impostos.cmd
  
• Impuestos-Documento.cmd
• doc_Factura.cmd
  
• Documento_Impostos.cmd
  

The “.CMD” file is large, ranging between 1.34 - 1.37MBs, and consists of two base64 encoded data blobs and code instructions for its execution. The script is described in the SANS write-up released on 1/06/2023.

The first base64 data blob is compiled AutoIt script and the second is AutoIt interpreter (a benign file), used to run the first file.

The purpose of the AutoIt script is to enumerate the host and download a “.VBS” file which then gets executed via the “SHELLEXECUTE”. Next, it invokes the “_OUTRECOVERY()” function to steal Outlook data such as server, user, and password from POP3, SMPT, and IMAP registry keys.

The script is then instructed to call the “_CHROMERECOVERY()” function. It proceeds by downloading the “sqlite3.dll” file from “hxxps[:]//www[.]autoitscript[.]com/autoit3/pkgmgr/sqlite/” which will be required later during the Chrome password theft.

All data is then sent back to the attacker's C2 via the HTTP POST method. The C2 is constructed with the victim's enumerated data, where the values are:

• v1 – OS language (e.g., 1033 – English US)
• v2 – keyboard layout (e.g., 1033 – English US)
  
• v3 – operating system version (Windows 7,8,10,11 or unknown)
  
• v4 – is target an admin or user
  
• v5 – OS architecture (x86 or x64)
  

The URL then becomes:

• hxxp[:]//publicpressmagazine[.]com/images/swan/do/it[.]php?b1=1&v1=1033&v2=1033&v3=windows%2010&v4=admin&v5=x86
  
• hxxp[:]//websylvania[.]com/psj/do/it[.]php?b1=1&v1=3082&v2=1034&v3=windows%207&v4=user&v5=x64
  

To gain persistence on the infected system, it relies on the following code:

Based on the URLs of the financial targets in Mexico, the threat actor behind CMDStealer is highly interested in compromising enterprise/business accounts.

Operation CMDStealer Network Infrastructure

The phishing and C2 (command and control) infrastructure are hosted on services with numerous domains associated with a single address, including fast flux services. Such services go a long way in obfuscating NetFlow traffic analysis and infrastructure tracking.

The domains utilized also heavily use redacted “whois” information and obscure registration data. Every stage of this stealer uses domains that have redacted information for years.

Multiple hosts were identified communicating with most of the CMD Stealer’s C2, but communications were not reliable enough to confirm threat actor ownership.

Campaigns have utilized the same URL path */do/it.php since at least 8/20/2022, making it a reasonable path to alert.

Targets

This attack primarily targets victims in Portugal, Mexico, and Peru. Also, based on the configuration used to target victims in Mexico, the threat actor is interested in online business accounts, which usually have a better cash flow.

Attribution

Based on the code and language analysis, research is confident that the threat actor behind this campaign belongs to Latin America, specifically Brazil.

Conclusions

Defending against LOLBaS executions requires a multi-layered strategy. First, organizations should implement robust endpoint security solutions to detect and block suspicious behavior and unauthorized execution of LOLBaS. Additionally, organizations should enforce the principle of least privilege, such as zero trust, confirming that users have only the permissions necessary to perform their tasks, thus limiting potential impact of LOLBaS execution. Regular security awareness training should be provided to educate employees about the risks associated with social engineering. Continuous monitoring and auditing of system logs can also help detect and investigate any suspicious activities related to LOLBaS. 

APPENDIX 1 – Referential Hashes

APPENDIX 2 – Applied Countermeasures

Yara Rules

Suricata Rule

Related Reading

• SideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials — and Is Now Targeting Turkey
• From Google Ads Abuse to a Massive Spear-Phishing Campaign Impersonating Spain's Tax Agency 
• Top Cyberattacks Revealed in New Global Threat Intelligence Report
• BlackBerry Cybersecurity, the Story Continues