AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America

MITRE Techniques

• [T1566.002] Phishing: Spearphishing Link – The infection chain started with a phishing link embedded in an email, leading to a malicious LNK delivered via WebDAV. “we believe with medium confidence that it is a phishing link (that would be embedded in an email)”
• [T1204.002] User Execution: Malicious File – The targeted user is expected to execute the malicious LNK named NotaFiscal.pdf.lnk. “The targeted user… is expected to execute the malicious LNK (NotaFiscal.pdf.lnk).”
• [T1059.001] PowerShell – A base64-encoded PowerShell script downloads and runs the BPyCode payload. “The resulting PowerShell script downloads the Python binary… and drops it to a created folder”
• [T1059.003] Windows Command Shell – The LNK runs a Windows command shell to download and execute BPyCode launcher. “the LNK file in turn runs a Windows command shell, which creates and opens a fake invalid PDF file… then triggers the download and execution of BPyCode launcher (c.cmd)”
• [T1140] Deobfuscate/Decode Files or Information – ZIP archives are decrypted/extracted in memory and used to load components. “decrypts and extracts downloaded ZIP archives in memory”
• [T1055] Process Injection – ExecutorLoader injects the payload into a (renamed) mshta.exe instance and runs it. “ExecutorLoader injects the payload into a (renamed) mshta.exe instance”
• [T1218.005] Mshta – The final payload is executed within an mshta.exe process, including creating a thread inside this process to run AllaSenha. “a thread is then created inside the remote mshta.exe process, to run the final payload (AllaSenha).”
• [T1483] Domain Generation Algorithms – BPyCode and AllaSenha use DGAs to generate C2 hostnames in the brazilsouth.azure.com domain. “uses a domain generation algorithm (DGA) to generate a list of 3 hostnames….brazilsouth.cloudapp.azure[.]com”
• [T1095] Non-Application Layer Protocol – C2 communications use raw ASCII over TCP, with hosts and ports negotiated dynamically. “C2 communications between the malware and the server use raw ASCII text over a TCP socket.”
• [T1027] Obfuscated/Compressed Files or Information – ZIP archives are encrypted with the same password to protect payloads. “encrypted (ZipCrypto) with the same password: Snh2301**Snh2301**”
• [T1021] Remote Services – The malware includes ServerSocket functionality for keyboard/mouse control and remote desktop capabilities. “ServerSocket, allowing basic RAT functionalities such as keyboard and mouse control, as well remote desktop cababilities.”
• [T1060] Registry Run Keys / Startup Folder – BPyCode persistence sets a Run key in the user registry. “registry run key at HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun”