Windows-based AllaKore Malware Abuses Azure Cloud for C2 Infrastructure
A brand unusual variant of AllaKore RAT, named AllaSenha, has been chanced on concentrated on Brazilian bank accounts, which leverages a multi-stage infection chain intriguing phishing emails, malicious LNK disguised as PDF files, Python scripts, and a Delphi-developed loader.
The malware steals banking credentials and communicates with its C2 server using Azure cloud infrastructure, which is believed to have been energetic since March 2024.
Researchers identified a phishing electronic mail campaign concentrated on Brazilian users in April 2024, the build the emails impersonate notifications for electronic invoices (NFS-e) and bear in mind hyperlinks shortened by is.gd.
Clicking the hyperlinks redirects users to a phishing web location hosted on one-digital.digital, which systems users into downloading a malicious file by disguising a WebDAV URL as a link to an invoice PDF.
A phishing assault exploits person belief by disguising a malicious LNK file (NotaFiscal.pdf.lnk) as a PDF doc, and clicking the LNK opens a false PDF and executes a tell shell script.
The BAT file, nicknamed “BPyCode Launcher,” then launches a base64-encoded PowerShell script, which retrieves the Python binary from python.org and executes an extra base64-encoded Python script (“BPyCode”) using the downloaded Python interpreter.
BPyCode is a Python script that downloads a DLL (ExecutorLoader) and executes it in memory, makes exhaust of a web site generation algorithm (DGA) to generate a checklist of hostnames and ports, and tries to download a payload from with out a doubt one of the main that you just might perhaps well possibly imagine combos.
The downloaded data is a Pickle5-serialized dictionary, which contains an extra Python loader script, a ZIP archive with PythonMemoryModule, and one more ZIP archive with ExecutorLoader.
BPyCode contains a killswitch mechanism that stops its execution if the centered computer’s processor name contains Broadwell.
ExecutorLoader is a Delphi-developed DLL that injects a closing payload (treasure AllaSenha) into a renamed mshta.exe occasion, as it first copies mshta.exe to a random checklist after which launches the reproduction.
In line with HarfangLab, it then loads a UPX-packed DLL (the last payload) from its resources and allocates memory within the mshta.exe process.
Lastly, it creates a thread in mshta.exe to scramble the last payload, whereas previously, ExecutorLoader became once also distributed as an executable (Execute_dll.exe) with the same performance.
AllaSenha, a brand unusual variant of the AllaKore RAT, targets Brazilian banks to take login credentials, 2FA tokens, and QR codes for leveraging the Azure cloud for C2 communication and makes exhaust of a Domain Technology Algorithm (DGA) to generate exclusive hostnames.
Upon start, it searches person browser data for centered banks and enters a ready allege if nothing is chanced on, and when the person interacts with a centered bank web location or application, AllaSenha extracts login data and injects false dwelling windows to take 2FA tokens reckoning on the actual bank.
Malicious LNK files and BPyCode launchers are staged on Microsoft Azure WebDAV servers in Brazil, as the LNK triggers the download of a malicious BAT file, and the BPyCode launcher makes exhaust of a DGA goal to generate Azure cloud app hostnames for payload start each day.
Source credit : cybersecuritynews.com