Threat Research

New banking trojan “CarnavalHeist” targets Brazil with overlay attacks

Securonix

CarnavalHeist is a Brazilian-origin banking Trojan targeting Brazilian users, deploying a multi-stage infection chain that uses a Python-based loader to inject a DLL and perform overlay attacks against banking applications. The campaign is tied to Brazilian threat actors, with C2 infrastructure hosted in the BrazilSouth Azure region and Portuguese-language content throughout the infection chain. #CarnavalHeist #AllaSenha #NotafiscalEletronica #BrazilSouth #Azure

Keypoints

  • CarnavalHeist targets Brazilian financial institutions and users with overlay attack techniques and financial-themed phishing.
  • A Python-based loader dynamically downloads and injects a DLL in the infection chain, enabling final payload execution.
  • Initial access occurs via financially themed spam with fake invoices and IS.GD URL-shortened links directing victims to malicious pages.
  • The final payload is a Delphi-based banking trojan capable of keylogging, screen capture, video capture, QR code manipulation, and extensive C2 control.
  • The C2 infrastructure and domain generation rely on the BrazilSouth Azure region, using DGAs to pick subdomains and ports for communication.
  • Talos links the campaign to two Brazilian actors based on WHOIS-domain-owner data and CPF details observed in registrations and prior activity.

MITRE Techniques

  • [T1566.001] Phishing – Initial access via financially themed unsolicited email with a fake invoice lure to download payload. ‘CarnavalHeist infection begins with a financially themed unsolicited email using a fake invoice as a lure to get the user to open a malicious URL.’
  • [T1059.001] Command and Scripting Interpreter: PowerShell – ‘PowerShell script downloading and installing Python and subsequently running the malicious loader.’
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – ‘Batch file used in the first stage of infection.’
  • [T1059.006] Command and Scripting Interpreter: Python – ‘Python script used to download and inject the malicious DLL.’
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – ‘Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder.’
  • [T1055.001] Process Injection: Dynamic-link Library Injection – ‘Privilege Escalation: Process Injection: Dynamic-link Library Injection.’
  • [T1027.010] Obfuscated Files or Information: Command Obfuscation – ‘Defense Evasion: Obfuscated Files or Information: Command Obfuscation.’
  • [T1027.012] Obfuscated Files or Information: LNK Icon Smuggling – ‘Defense Evasion: Obfuscated Files or Information: LNK Icon Smuggling.’
  • [T1027.009] Obfuscated Files or Information: Embedded Payloads – ‘Defense Evasion: Obfuscated Files or Information: Embedded Payloads.’
  • [T1036.008] Masquerading: Masquerade File Type – ‘Defense Evasion: Masquerading: Masquerade File Type.’
  • [T1056.001] Input Capture: Keylogging – ‘Credential Access: Input Capture: Keylogging.’
  • [T1056.002] Input Capture: GUI Input Capture – ‘Credential Access: GUI Input Capture.’
  • [T1010] Application Window Discovery – ‘Discovery: Application Window Discovery.’
  • [T1082] System Information Discovery – ‘Discovery: System Information Discovery.’
  • [T1570] Lateral Tool Transfer – ‘Lateral Movement: Lateral Tool Transfer.’
  • [T1113] Screen Capture – ‘Collection: Screen Capture.’
  • [T1102] Web Service – ‘Command and Control: Web Service.’
  • [T1102.002] Web Service: Bidirectional Communication – ‘Command and Control: Web Service: Bidirectional Communication.’
  • [T1105] Ingress Tool Transfer – ‘Command and Control: Ingress Tool Transfer.’
  • [T1571] Non-Standard Port – ‘Command and Control: Non-Standard Port.’
  • [T1020] Automated Exfiltration – ‘Exfiltration: Automated Exfiltration.’
  • [T1041] Exfiltration Over C2 Channel – ‘Exfiltration: Exfiltration Over C2 Channel.’
  • [T1567] Exfiltration Over Web Service – ‘Exfiltration: Exfiltration Over Web Service.’
  • [T1568.002] Dynamic Resolution: Domain Generation Algorithms – ‘MITRE ATT&CK: Dynamic Generation: Domain Generation Algorithms.’
  • [T1104] Multi-Stage Channels – ‘Command and Control: Multi-Stage Channels.’

Indicators of Compromise

  • [Domain] Landing pages/domains hosting the initial infection: notafiscaleletronica.nf-e.pro/danfe/?notafiscal=00510242.500611, and nota-fiscal.nfe-digital.top/nota-estadual/?notafiscal=00792011.977347
  • [Domain] Banking-portal related domain: nfe-visualizer.app.br/notas/?notafiscal=000851113082.35493424000
  • [IP] Command-and-Control delivery IPs observed: 4.203.105.118 and 191.233.248.170
  • [Domain] C2/DGA host in BrazilSouth Azure: dga.brazilsouth.cloudapp.azure.com and brazilsouth.cloudapp.azure.com
  • [Domain] Web-shortened links used in spam: isgd URLs like https://is[.]gd/38qeon?0177551.5510 and https://is[.]gd/ROnj3W?0808482.5176
  • [File] Attacker-hosted MSI and ZIP payloads on GitHub: github.com/marianaxx0492494/update/raw/main/setup.msi, github.com/marianaxx0492494/update/raw/main/Execute_dll.zip
  • [File] Notafiscal-related file disguises used in the infection: NotaFiscal.pdf (fake PDF in Downloads), LNK that executes next stage

Read more: https://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint