Adrian Johnson
TLDR:
Windows-based malware named AllaSenha targets Brazilian bank accounts using a multi-stage infection chain involving phishing emails and malicious files. The malware communicates with its C2 server using Azure cloud infrastructure.
Windows-based AllaKore Malware Abuses Azure Cloud for C2 Infrastructure
A new variant of AllaKore RAT, named AllaSenha, has been discovered targeting Brazilian bank accounts, which leverages a multi-stage infection chain involving phishing emails, malicious LNK disguised as PDF files, Python scripts, and a Delphi-developed loader. The malware steals banking credentials and communicates with its C2 server using Azure cloud infrastructure, which is believed to have been active since March 2024.
Overview of AllaSenha’s deployment steps:
Researchers identified a phishing email campaign targeting Brazilian users in April 2024, where the emails impersonate notifications for electronic invoices (NFS-e) and contain links shortened by is.gd. Clicking the links redirects users to a phishing website hosted on one-digital.digital, which tricks users into downloading a malicious file by disguising a WebDAV URL as a link to an invoice PDF.
A phishing attack exploits user trust by disguising a malicious LNK file as a PDF, and clicking the LNK opens a fake PDF and executes a command shell script. The malware then launches a series of scripts to download and execute malicious payloads.
AllaSenha functionality:
AllaSenha targets Brazilian banks to steal login credentials, 2FA tokens, and QR codes by using the Azure cloud for C2 communication and a DGA to generate unique hostnames. The malware searches user browser data for targeted banks and injects fake windows to steal 2FA tokens depending on the specific bank.
Malicious LNK files and BPyCode launchers are staged on Microsoft Azure WebDAV servers in Brazil, triggering the download of malicious files and using a DGA function to generate Azure cloud app hostnames daily for payload delivery.
