Brazilian cybercriminals recently targeted Portuguese bank customers, report says

Hackers based in Brazil have targeted users of dozens of Portuguese banks this year in a campaign that appears to be related to cybercrime activity dating at least to 2021, researchers said Thursday.

The group’s goal is to exfiltrate data and personal information, “which can be leveraged for malicious activities beyond financial gain,” according to the report from SentinelOne. One hallmark of the hackers is the use of a Russian cloud service, Timeweb, known for having relaxed anti-abuse policies.

The report doesn’t specify exactly how the group — named Operation Magalenha by SentinelOne — infected its recent victims with malware, but notes that long-running Brazilian cybercrime gangs are known for "phishing emails, social engineering, and malicious websites delivering fake installers of popular applications."

Users of more than 30 institutions have been targeted, SentinelOne says, including private firms like Banco BPI and Novobanco, and the government-run Caixa Geral de Depósitos. The attackers’ methods “suggest an understanding of the local financial landscape and a willingness to invest time and resources in developing targeted campaigns.”

The group aims to install two backdoor programs that the researchers collectively call PeepingTitle. The malware has “spyware capabilities giving the attackers full control over infected machines, allowing activities such as monitoring window interaction, taking unauthorized screenshots, terminating processes and deploying further malware.”

The backdoors arrive when the hackers are able to run malicious Visual Basic Scripts that “download and execute a malware loader and distract users while doing so,” write researchers Aleksandar Milenkoski and Tom Hegel. The scripts use some sneaky techniques in the process.

“The VB scripts are obfuscated such that the malicious code is scattered among large quantities of code comments, which is typically pasted content of publicly available code repositories,” the report says. “This is a simple, yet effective technique for evading static detection mechanisms – the scripts that are available on [the VirusTotal code repository] feature relatively low detection ratios.”

The activity SentinelOne tracked this year has similarities to previous cybercrime campaigns over the last two years in Spain as well as Central and Latin American countries, the report says.

“Operation Magalenha indicates the persistent nature of the Brazilian threat actors,” write Milenkoski and Hegel. “These groups represent an evolving threat to organizations and individuals in their target countries and have demonstrated a consistent capacity to update their malware arsenal and tactics, allowing them to remain effective in their campaigns.”