Operation Magalenha - Long-Running Campaign Pursues Portuguese Credentials and PII

Brazilian threat actors are known to distribute malware using a variety of methods, such as phishing emails, social engineering, and malicious websites delivering fake installers of popular applications.

In the context of Operation Magalenha, the infection starts with the execution of a malicious VB script, which primarily serves to download and execute a malware loader and distract users while doing so.
The malware loader subsequently downloads and executes the PeepingTitle backdoors.

VB Script Obfuscation and Execution

The VB scripts are obfuscated such that the malicious code is scattered among large quantities of code comments, which is typically pasted content of publicly available code repositories.
This is a simple, yet effective technique for evading static detection mechanisms - the scripts that are available on VirusTotal feature relatively low detection ratios.

When executed, the VB scripts first open a TinyURL to user login sites of Energias de Portugal (EDP) and the Portuguese Tax and Customs Authority (AT - Autoridade Tributária e Aduaneira).
Based on this script behavior, we suspect that the threat group behind Operation Magalenha has been delivering the scripts through EDP- and AT-themed phishing emails, aligning with a known tactic observed among threat actors targeting Portuguese citizens.

Dual Purpose of the VB Scripts

The VB scripts serve a twofold purpose for the threat actors:

• Act as a smoke screen distracting users while the scripts continue to download and execute the malware loader.
• Enable the theft of EDP and AT credentials if the users enter the credentials after the malware loader has executed the PeepingTitle backdoors. This may provide the threat actor with users' personal information.

We note that users may login to the Portuguese Tax and Customs Authority in several ways, including using government-issued credentials for citizens to access not only the online services of the Authority, but also other services provided by the Portuguese state.

Malware Loader Execution

The scripts then download to the %PUBLIC% folder an archive file that contains a malware loader.
They subsequently extract the loader and delete the archive.
Finally, the scripts execute the malware loader after a time interval of, for example, 5 seconds.
The malware loader downloads and executes two PeepingTitle backdoor variants.

PeepingTitle Malware Overview

The PeepingTitle samples share some code segments, indicating that they have been developed as part of a single development effort. For example, both malware strains implement similar initialization routines, which involve:

• Evaluating the presence of the wine_get_version function in the ntdll.dll library file.
• Establishing persistence by editing the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key.

Similar to other malware used by Brazilian threat actors, the PeepingTitle backdoors contain string artifacts in Brazilian-Portuguese language.

PeepingTitle First Variant: Window Title Monitoring

After initialization, at one-second intervals, the first PeepingTitle variant monitors the titles of application windows that have captured the mouse cursor.

The malware first transforms a window title into a lowercase string stripped of any whitespace characters. It then checks if the transformed title contains any of the strings from a predefined set of strings related to targeted institutions.

The predefined strings are defined such that they are part of the browser window titles when a user visits the online resources (i.e., sites or specific online services) of predominantly Portuguese financial institutions or institutions with a presence in Portugal.

These include government, government-backed, and private institutions. The targeted sites and online services encompass a broad set of activities that users may conduct when interacting with them, providing a wealth of personal user information to the threat actor, such as:

• Account registration
• Document overview
• Credential input

When a user visits a targeted online resource, PeepingTitle:

1. Sets the window title monitoring interval to 5 seconds.
2. Connects to a C2 server.
3. Exfiltrates data in an encrypted form, including a timestamp, the name of the infected machine, and the captured window title.

This registers the infected machine at the C2 server.

Backdoor Capabilities of PeepingTitle

PeepingTitle implements backdoor capabilities that allow for full control over compromised machines. Some of these include:

• Process termination and screenshot capture: PeepingTitle can take screenshots of the entire screen.
• Staging of further malware: This involves executing malware placed in the %PUBLIC% directory or first downloading malware executables from attacker-controlled locations to this directory, followed by execution. The staged malware could implement any capabilities the threat actor may need in a given situation, such as further data exfiltration or interaction and overlay screen capabilities to bypass multi-factor authentication.
• Execution of Windows PE images and DLL files: Using the rundll32 Windows utility.
• Reconfiguration: This includes restarting the PeepingTitle process, reconfiguring the window title monitoring interval to 1 second, and configuring the image scale of the screenshots that PeepingTitle takes.

PeepingTitle Second Variant: Advanced Monitoring

In contrast to the first variant, the second PeepingTitle variant registers the infected machine at the C2 server upon execution.

The malware exfiltrates data in an encrypted form, which includes the name of the infected machine and volume serial numbers.

The malware then continues to monitor for changes in the top-level window and takes a screenshot of this window whenever the user changes it. PeepingTitle sends the screenshot to a different C2 server than the one used for registering the infected machine.

Differences Between the Two PeepingTitle Variants

The first PeepingTitle variant captures the entire screen, while the second captures each window a user interacts with. This malware duo provides the threat actor with a detailed insight into user activity.

Additionally, the second PeepingTitle variant includes further features, such as:

• Downloading and executing malware in the form of Windows PE images.
• Process termination.
• Malware reconfiguration.