Threat Research

Operation CMDStealer: Financially Motivated Campaign Leverages CMD-Based Scripts and LOLBaS for Online Banking Theft in Portugal, Peru, and Mexico

Securonix

An unknown financially motivated threat actor—likely from Brazil— targets Spanish- and Portuguese-speaking victims in Portugal, Mexico, and Peru to steal online banking access using CMD-based scripts and LOLBaS (Living Off the Land Binaries and Scripts). The campaign relies on phishing in Portuguese and Spanish, social engineering, and a malware chain that uses AutoIt-based components to exfiltrate banking credentials and related data. #CMDStealer #LOLBAS #AutoIt #Phishing #Portugal #Mexico #Peru #Brazil

Keypoints

  • The campaign targets Portugal, Mexico, and Peru, focusing on online banking theft via a financially motivated actor from Latin America (likely Brazil).
  • phishing emails in Portuguese/Spanish drive the infection, using urgent-sounding content about transit/taxes to coerce recipients to open HTML attachments.
  • The payload chain relies on CMD-based scripts and AutoIt, including two base64 data blobs and instructions for execution within a CMD/AutoIt workflow.
  • The malware enumerates the host, downloads a VBS file, and executes it (via SHELLEXECUTE) to harvest Outlook data and Chrome passwords.
  • Exfiltration is performed over HTTP POST to a C2, with data packed into a request to hard-to-trace domains behind redacted WHOIS and fast-flux infrastructure.
  • The malware targets banking-related data (including Mexican banks) and shows persistence mechanisms to maintain access.
  • Attribution points to a Latin American actor, with Brazil identified as the likely origin.

MITRE Techniques

  • [T1566.001] Phishing – The infection chain begins with the user receiving a phishing email. Quote: “The infection chain begins with the user receiving a phishing email. These phishing emails are specially crafted to grab victims’ attention.”
  • [T1204.002] User Execution – The recipient is prompted to open an HTML attachment. Quote: “The email text employs scare tactics, such as evidence of a traffic violation, prompting the user to open the HTML attachment which contains some junk code and data in HEX format.”
  • [T1059.003] Windows Command Shell – CMD-based scripts drive execution; the CMD file contains encoded data and instructions. Quote: “The .CMD file is large, ranging between 1.34 – 1.37MBs, and consists of two base64 encoded data blobs and code instructions for its execution.”
  • [T1027] Obfuscated/Compressed Files and Information – The CMD payload relies on base64-encoded data blobs to conceal instructions. Quote: “consists of two base64 encoded data blobs and code instructions for its execution.”
  • [T1140] Deobfuscate/Decode Files or Information – Base64 blocks require decoding as part of instruction execution. Quote: “two base64 encoded data blobs and code instructions for its execution.”
  • [T1105] Ingress Tool Transfer – The AutoIt-based script downloads additional components (e.g., sqlite3.dll) for later use. Quote: “downloading the ‘sqlite3.dll’ file from ‘…autoitscript.com/autoit3/pkgmgr/sqlite/’ which will be required later during the Chrome password theft.”
  • [T1071.001] Web Protocols – Data is exfiltrated to C2 over HTTP POST. Quote: “All data is then sent back to the attacker’s C2 via the HTTP POST method.”
  • [T1132.001] Data Encoding – The C2 URL construction encodes/transmits victim data as part of the post. Quote: “the values are: v1 – OS language … v5 – OS architecture” and then URL parameters are constructed.
  • [T1082] System Information Discovery – The malware collects OS language, keyboard layout, and OS version. Quote: “v1 – OS language (e.g., 1033 – English US) v2 – keyboard layout … v3 – operating system version” (System information discovery context)
  • [T1087] Account Discovery – The malware notes whether the target is an admin or user. Quote: “v4 – is target an admin or user” (Account discovery context)
  • [T1041] Exfiltration – Data is sent to C2 via HTTP POST. Quote: “All data is then sent back to the attacker’s C2 via the HTTP POST method.”
  • [T1555.003] Credentials From Registry – Outlook credentials are targeted from registry keys (POP3/SMTP/IMAP). Quote: “to steal Outlook data such as server, user, and password from POP3, SMPT, and IMAP registry keys.”
  • [T1547.009] Boot or Logon Autostart Execution – The campaign shows persistence mechanisms to maintain access. Quote: “To gain persistence on the infected system, it relies on the following code” and related content about startup/persistence.

Indicators of Compromise

  • [Domain] – C2 domains used in the campaign: publicpressmagazine.com, websylvania.com (context: domains hosting the phishing/C2 infrastructure).
  • [File Hash] – Example: f6e84e43323ed9d8531fa2aeeb3c181c8f84fcbe950ce6dcdd8c3fa0b02c6cc0, 0a277e51598ef364d5e0006817d32487eb9c0a3c150b7169cbc0bb7348088e63 (context: unique payload hashes for samples).
  • [File Hash] – Example: 2d87b9b071ace9f2ebfa33c1c0c21202f39876b312e135a491bf57ba731b798c, e64f28174f646e26199d6b7735c84195 (context: additional sample hashes).
  • [File Name] – Example: doc-Impuestos.cmd, Impuestos-Documento.cmd (context: CMD payload filenames used in the infection chain).

Read more: https://blogs.blackberry.com/en/2023/05/cmdstealer-targets-portugal-peru-and-mexico