"Brazilian Cybercriminals Using LOLBaS and CMD Scripts to Drain Bank Accounts"

An unknown threat actor has been observed targeting Spanish- and Portuguese-speaking victims in Mexico, Peru, and Portugal to compromise online banking accounts. According to the BlackBerry Research and Intelligence Team, this threat actor uses techniques such as LOLBaS (living-off-the-land binaries and scripts) and CMD-based scripts to perform malicious activities. Based on an analysis of the artifacts, the cybersecurity company attributed the campaign, called "Operation CMDStealer," to a Brazilian threat actor. The attack chain relies primarily on social engineering, sending Portuguese and Spanish emails containing tax- or traffic violation-related lures to initiate infections and get unauthorized access to victims' systems. The emails include an HTML attachment containing obfuscated code to fetch the next-stage payload as a RAR archive file from a remote server. The files, which are geofenced to a particular country, include a .CMD file. The .CMD file has an AutoIt script aimed at downloading a Visual Basic Script to steal Microsoft Outlook and browser password data. This article continues to discuss cybercriminals using LOLBaS and CMD-based scripts to compromise online banking accounts. 

THN reports "Brazilian Cybercriminals Using LOLBaS and CMD Scripts to Drain Bank Accounts"