The trojan has been disseminated via phishing templates impersonating Tax services in Portugal.
An HTML file downloads a .lnk file mascaraed of an MSI file that takes advantage of the LoL bins to execute an MSI file (segunda.msi).
“segunda.msi” downloads and executes an EXE file that will drop the final stage.
The trojan itself installs or modifies Windows trusted certificates, checks by opening windows to perform banking windows overlay to steal credentials, and can deploy additional payloads executed via DLL injection technique.
The victims’ data is encrypted and sent to the C2 server geolocated in Russia.