Attacks with the novel AllaKore remote access trojan variant dubbed "AllaSenha" were deployed against several banking entities across Brazil — including Banco Safra, Caixa Economica Federal, and Banco de Brasil — in a bid to facilitate credential theft activities, The Hacker News reports.
Intrusions commence with the distribution of a PDF-spoofing Windows LNK file, which when executed enables the deployment of a command shell that would open a decoy PDF file while fetching a BAT payload with the BPyCode launcher that would eventually trigger the AllaSenha payload, according to a report from Harfang Lab.
Aside from permitting online banking credential exfiltration, AllaSenha also enables two-factor authentication code compromise and QR code scanning lures, said researchers.
"The threat actors that operate in Latin America appear to be a particularly productive source of cybercrime campaigns. While almost exclusively targeting Latin American individuals to steal banking details, these actors often end up compromising computers that are indeed operated by subsidiaries or employees in Brazil, but that belong to companies all around the world," researchers added.
