A new cybercrime campaign has been observed targeting Spanish- and Portuguese-speaking victims to compromise online banking accounts in Mexico, Peru, and Portugal. The campaign, dubbed Operation CMDStealer, primarily leverages social engineering, banking on Portuguese and Spanish emails containing tax- or traffic violation-themed lures to trigger the infections and gain unauthorized access to victims' systems. The emails come fitted with an HTML attachment that contains obfuscated code to fetch the next-stage payload from a remote server in the form of a RAR archive file. The files, which are geofenced to a specific country, include a .CMD file, which, in turn, houses an AutoIt script that's engineered to download a Visual Basic Script to carry out the theft of Microsoft Outlook and browser password data. The BlackBerry Research and Intelligence Team said in a report published last week that "this threat actor employs tactics such as LOLBaS (living-off-the-land binaries and scripts), along with CMD-based scripts to carry out its malicious activities." The cybersecurity company attributed the campaign to a Brazilian threat actor based on an analysis of the artifacts. LOLBaS and CMD-based scripts help threat actors avoid detection by traditional security measures. The scripts leverage built-in Windows tools and commands, allowing the threat actor to evade endpoint protection platform (EPP) solutions, and bypass security systems. This makes it difficult for traditional security measures to detect and stop these kinds of attacks. BlackBerry noted that "the threat actor employs tactics such as LOLBaS (living-off-the-land binaries and scripts), along with CMD-based scripts to carry out its malicious activities." If you receive an email in Portuguese or Spanish with a tax- or traffic-related theme, be aware that it may be part of this campaign. Do not open any attachments or click any links in the email. If you have already opened the attachment or clicked the link, monitor your online banking activity for any suspicious activity. If you see anything unusual, contact your bank immediately.
top of page
bottom of page