A new variant of AllaKore RAT, named AllaSenha, has been discovered targeting Brazilian bank accounts, which leverages a multi-stage infection chain involving phishing emails, malicious LNK disguised as PDF files, Python scripts, and a Delphi-developed loader.
The malware steals banking credentials and communicates with its C2 server using Azure cloud infrastructure, which is believed to have been active since March 2024.
Researchers identified a phishing email campaign targeting Brazilian users in April 2024, where the emails impersonate notifications for electronic invoices (NFS-e) and contain links shortened by is.gd.
All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo
Clicking the links redirects users to a phishing website hosted on one-digital.digital, which tricks users into downloading a malicious file by disguising a WebDAV URL as a link to an invoice PDF.
A phishing attack exploits user trust by disguising a malicious LNK file (NotaFiscal.pdf.lnk) as a PDF document, and clicking the LNK opens a fake PDF and executes a command shell script.
The BAT file, nicknamed “BPyCode Launcher,” then launches a base64-encoded PowerShell script, which retrieves the Python binary from python.org and executes a further base64-encoded Python script (“BPyCode”) using the downloaded Python interpreter.
BPyCode is a Python script that downloads a DLL (ExecutorLoader) and executes it in memory, uses a domain generation algorithm (DGA) to generate a list of hostnames and ports, and tries to download a payload from one of the possible combinations.
The downloaded data is a Pickle5-serialized dictionary, which contains an additional Python loader script, a ZIP archive with PythonMemoryModule, and another ZIP archive with ExecutorLoader.
BPyCode contains a killswitch mechanism that stops its execution if the targeted computer’s processor name contains Broadwell.
ExecutorLoader is a Delphi-developed DLL that injects a final payload (like AllaSenha) into a renamed mshta.exe instance, as it first copies mshta.exe to a random directory and then launches the copy.
According to HarfangLab, it then loads a UPX-packed DLL (the final payload) from its resources and allocates memory in the mshta.exe process.
Finally, it creates a thread in mshta.exe to run the final payload, while previously, ExecutorLoader was also distributed as an executable (Execute_dll.exe) with the same functionality.
AllaSenha, a new variant of the AllaKore RAT, targets Brazilian banks to steal login credentials, 2FA tokens, and QR codes for leveraging the Azure cloud for C2 communication and uses a Domain Generation Algorithm (DGA) to generate unique hostnames.
Upon launch, it searches user browser data for targeted banks and enters a waiting state if nothing is found, and when the user interacts with a targeted bank website or application, AllaSenha extracts login data and injects fake windows to steal 2FA tokens depending on the specific bank.
Malicious LNK files and BPyCode launchers are staged on Microsoft Azure WebDAV servers in Brazil, as the LNK triggers the download of a malicious BAT file, and the BPyCode launcher uses a DGA function to generate Azure cloud app hostnames for payload delivery daily.
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.