Operation CMDStealer: Financially Motivated Campaign Leverages CMD-Based Scripts and LOLBAS for Online Banking Theft in Portugal, Peru, and Mexico

Summary

An unknown financially motivated threat actor, most likely from Brazil, is targeting Spanish- and Portuguese-speaking victims, with the goal of stealing online banking access. The victims are primarily in Portugal, Mexico, and Peru. This threat actor employs tactics such as Living Off the Land Binaries and Scripts (LOLBAS), along with CMD-based scripts to carry out its malicious activities.

The campaign utilizes phishing emails written in Portuguese and Spanish. It also uses social engineering tactics to target victims. The emails exploit commonly encountered issues, such as transit infractions and taxes, to create a sense of urgency and legitimacy in their phishing messages. By posing as authoritative entities or government agencies, the messages are intended to deceive unsuspecting individuals and get them to disclose their online banking credentials.

Brief MITRE ATT&CK^® Information

Weaponization and Technical Overview

Technical Analysis

Context

The Latin American threat landscape primarily consists of financially-motivated malware, usually compiled into Portable Executable (PE) payloads. While analyzing the deployment of the final payloads, the Arctic Wolf® Labs team saw a variety of techniques, such as abusing VBE scripts, ISO images, and MSI packages. In this case, the threat actor behind the campaign used CMD-based scripts, AutoIt scripts, and LOLBAS.

LOLBAS and CMD-based scripts help threat actors avoid detection by traditional security measures. The scripts leverage built-in Windows tools and commands, allowing the threat actor to evade endpoint protection platform (EPP) solutions and bypass security systems. By utilizing these techniques they can gain unauthorized access to victims’ systems, extract sensitive information, and ultimately compromise online banking accounts and payment systems.

The geographical focus of this threat actor centers on Portugal, Mexico, and Peru, where a significant number of Spanish and Portuguese speakers reside. Their selection of countries is likely influenced by the prevalence of online banking usage in these regions, making them lucrative targets for financial fraud.

The first .CMD file set seen to use AutoIt in its execution was discovered at the end of 2021. This suggests that the threat actor was beginning its tests, naming these files “demo” or “test,” upon decompiling the AutoIt script into a human-readable script that supports the timeline of this attack campaign.

Operation CMDStealer Attack Vector

The infection chain begins with the user receiving a phishing email. These phishing emails are specially crafted to grab victims’ attention. In one instance, we observed one of the emails titled “Multa de Trânsito,” which translates from Portuguese as “traffic infraction ticket.” Each email has an HTML attachment.

The email text employs typical scare tactics, such as claiming to have evidence of a traffic violation, prompting the user to open the HTML attachment which contains some junk code and data in HEX format.

The data blob in HEX decodes to a slightly obfuscated URL address which upon cleanup translates to: hxxps://multa-ansr-pt[.]fun/?hcBViJAi9EZSc3YQwxpEwfmD7xdG0IF34EWGHj6Q. This URL resolves to the IP address 162.0.232[.]115. During our extensive analysis of the .HTML files, Arctic Wolf® identified a large list of HEX-encoded URLs, some of which are listed here:

• hxxps://factura61[.]click/2/?j5szsmo0bk8tOSQSMS4mmp1XtQrmbNYoCB2GBem8
• hxxps://factura61[.]click/2/?vzlv9CZ1gnLrNIaWBJBhJNWRCt7IVXDDwVzOQhSs
• hxxps://sunat-pe[.]fun/?D80gaUJDUfuLG6lodTSEi7qoqciBWk5xE5w81pJO
• hxxps://factura61[.]click/2/?CTtBmkRN8KPXVTgUn1ArCPGb5WXTXTaT7etdD7TC
• hxxps://factura61[.]click/2/?yqJl8r7henupax3WsUvITb0PuSw5sn7HyZWGMvDv
• hxxps://factura61[.]click/2/?GxkVBvEBTFfSDqaFr8Yjw9kyKH01xRseHoF0DNQc
• hxxps://multa-ansr-pt[.]fun/?UFqQBhFaXulvEfeTbI38FFDKRth1r2DWKOFqUI0Y
• hxxps://multa-ansr-pt[.]fun/?l4mm0DEhDbJPYd5qAQmwst09TDTjjvYjiG7ByCvx

Opening the attached multa_de_transito_502323.html file triggers the embedded JavaScript and reaches out to hxxps://multa-ansr-pt[.]fun/?hcBViJAi9EZSc3YQwxpEwfmD7xdG0IF34EWGHj6Q to pull down the next stage, which is a compressed archive (RAR) file.

The archive file is typically titled with one of a set of naming schemes, a few of which are listed below:

• doc-Impuestos_<[0-9]{6}>.rar
• doc-Impostos_<[0-9]{6}>.rar
• Documento_Impostos_<[0-9]{6}>.rar
• Multa_<[0-9]{6}>.rar
• Impuestos-Documento_<[0-9]{6}>.rar

Arctic Wolf found different campaigns geofenced to each specific country. Threat researchers reported similar campaigns in the past targeting Mexico.

Weaponization

The contents of the previously mentioned archive include a single .CMD file typically titled using one of the following filenames, among others:

• doc-Impuestos.cmd
• doc-Impostos.cmd
• Impuestos-Documento.cmd
• doc_Factura.cmd
• Documento_Impostos.cmd

The .CMD file is large, ranging between 1.34 – 1.37 MBs, and consists of two base64 encoded data blobs and code instructions for its execution. The script is described in this SANS write-up.

The first base64 data blob is compiled AutoIt script and the second is AutoIt interpreter, a benign file used to run the first file. The purpose of the AutoIt script is to enumerate the host and download a .VBS file, which then gets executed via SHELLEXECUTE.

Next, it invokes the _OUTRECOVERY() function to steal Outlook email data such as server, user, and password from POP3, SMPT, and IMAP registry keys. The script is then instructed to call the _CHROMERECOVERY() function. It proceeds by downloading the sqlite3.dll file from hxxps://www[.]autoitscript[.]com/autoit3/pkgmgr/sqlite/, which will be required later during the Chrome password theft.

All data is then sent back to the attacker’s C2 via the HTTP POST method. The C2 is constructed with the victim’s enumerated data, where the values are:

• v1 – OS language (e.g., 1033 – English US)
• v2 – Keyboard layout (e.g., 1033 – English US)
• v3 – Operating system version (Windows 7,8,10,11 or unknown)
• v4 – Is target an admin or user
• v5 – OS architecture (x86 or x64)

The URL then becomes:

• hxxp://publicpressmagazine[.]com/images/swan/do/it[.]php?b1=1&v1=1033&v2=1033&v3=windows%2010&v4=admin&v5=x86
• hxxp://websylvania[.]com/psj/do/it[.]php?b1=1&v1=3082&v2=1034&v3=windows%207&v4=user&v5=x64

To gain persistence on the infected system, it relies on the following code:

Based on the URLs of the financial targets in Mexico, the threat actor behind CMDStealer is highly interested in compromising enterprise and business accounts.

Network Infrastructure

The phishing and command-and-control (C2) infrastructure is hosted on services with numerous domains associated with a single address, including fast flux services. Such services go a long way in obfuscating NetFlow traffic analysis and infrastructure tracking.

The domains utilized also use heavily redacted “whois” information and obscure registration data. Every stage of this stealer uses domains that have redacted information for years.

Multiple hosts were identified communicating with most of the CMD Stealer’s C2, but communications were not reliable enough to confirm threat actor ownership.

Campaigns have utilized the same URL path, */do/it.php, since at least 8/20/2022, making it a reasonable path to alert.

Targets

This attack primarily targets victims in Portugal, Mexico, and Peru. Based on the configuration used to target victims in Mexico, the threat actor is most interested in online business accounts, which usually have a better cash flow.

Attribution

Based on the code and language analysis, we can state with a moderate degree of confidence that the threat actor behind this campaign belongs to Latin America, specifically Brazil.

Conclusions

Defending against attacks that rely on LOLBAS executions requires a multi-layered defensive strategy:

• Organizations should implement robust endpoint security solutions to detect and block suspicious behavior and unauthorized execution of LOLBAS.
• Organizations should also enforce the principle of least privilege, such as zero trust, confirming that users have only the permissions necessary to perform their tasks, thus limiting potential impact of LOLBAS execution.
• Regular security awareness training should be provided to educate employees about the risks associated with social engineering.
• Continuous monitoring and auditing of system logs can also help detect and investigate any suspicious activities related to LOLBAS.

Referential Hashes