Beware the CMDStealer: Cybercriminals’ New Tool to Exploit Online Banking Vulnerabilities in Latin American and European Countries

Cybercriminals continue to target unsuspecting victims around the world, using advanced tactics and techniques to compromise online accounts and steal valuable data. The latest campaign to emerge on the scene is Operation CMDStealer, a series of attacks carried out by a Brazilian threat actor targeting Spanish and Portuguese-speaking victims in Mexico, Peru and Portugal.

This campaign, which has been attributed to a specific threat actor group, leverages a range of techniques to avoid detection, including social engineering, geofenced files, and LOLBaS and CMD-based scripts. The aim of the campaign is to steal data from online banking accounts in targeted countries and siphon funds into the attacker’s accounts.

In this article, we will examine the details of Operation CMDStealer and the Nigerian cybercrime ring’s financial fraud scams that use business email compromise tactics.

Operation CMDStealer: A Brazilian Threat Actor Targeting Spanish and Portuguese-Speaking Victims

Cybersecurity researchers have identified a recent campaign dubbed Operation CMDStealer, in which a Brazilian threat actor is targeting Spanish and Portuguese-speaking victims in Mexico, Peru, and Portugal to compromise their online banking accounts. The group has been found to use advanced tactics, including geofencing, social engineering, and exploited scripts, to avoid conventional security measures and target online business accounts, which typically have better cash flows.

Social engineering as the primary attack method

The primary attack vector employed by the Operation CMDStealer campaign is social engineering. The threat actors leverage Portuguese and Spanish email messages containing tax or traffic violation-themed lures to trigger infections and gain unauthorized access to victims’ systems. Once a victim is engaged, the attacker can execute the next phase of the attack chain, which usually involves creating a remote control shell, installing malware, or stealing sensitive data.

Geofencing is a technology that creates a virtual boundary around a physical area using GPS or RFID data. It is not typically associated with file stealing or data theft. Additionally, it is not appropriate or legal to use AutoIt scripts or any other software to unlawfully obtain data from others. It is important to respect and protect the privacy and security of others.

Another strategic element employed by the Operation CMDStealer threat actor is the use of geofenced files. These files leverage AutoIt scripts to download Visual Basic script components, which then carry out the theft of password data from the victim’s system. The files are geofenced to specific countries, ensuring that they are not overexposed to security systems that monitor and block malicious activity. This enables the threat actor to evade endpoint protection platform (EPP) solutions, offering greater privacy and ease of operation.

Leveraging LOLBaS and CMD-based scripts to avoid detection

In addition to leveraging geofenced files, the Operation CMDStealer threat actor is also using LOLBaS and CMD-based scripts to avoid detection by traditional security measures. These scripts help the attacker to bypass security systems by leveraging built-in Windows tools and commands that evade endpoint protection. This allows the threat actor to harvest and exfiltrate sensitive data undetected.

Harvested information sent to attacker’s server via HTTP POST request

Once the CMDStealer threat actor has harvested the necessary information from the victim’s system, the data is transmitted back to the attacker’s server using an HTTP POST request. This procedure prevents detection by security systems, providing a secure and private way to siphon funds from online banking accounts.

Targeting Online Business Accounts with Better Cashflow in Mexico

Based on the available configuration data used to target victims in Mexico, Operation CMDStealer is particularly interested in online business accounts that typically have a better cash flow. The threat actors are using advanced social engineering and geofencing techniques to target these accounts, often using tax or traffic violation-themed lures to trigger the infection and compromise of the account.

Nigerian cybercrime ring’s financial fraud scams using business email compromise

Operation CMDStealer is not the first cybercrime campaign to use business email compromise tactics. In January 2017, cybersecurity firm ESET exposed a Nigerian cybercrime ring that executed complex financial fraud scams by targeting businesses, banks, and unsuspecting individuals. The bad actors used phishing attacks to obtain access to corporate email accounts and tricked their business partners into sending money to bank accounts controlled by the criminals.

Operation CMDStealer is another example of the growing sophistication of cybercriminal tactics and techniques. As more businesses and individuals move their financial activities online, cybersecurity must remain vigilant in protecting against these types of attacks. To mitigate the risk of these threats, it is essential to maintain robust cybersecurity protocols and train employees to identify and avoid social engineering tactics used by malicious actors.

Explore more

Ethereum Eyes $1,800 as Buterin Unveils Lean Roadmap

Digital asset markets often react violently to technical shifts, but the recent strategic pivot outlined by Vitalik Buterin has sparked a more calculated sense of optimism across the global decentralized finance ecosystem. The Ethereum network is currently navigating a pivotal transition phase where the complexity of past upgrades is being replaced by a streamlined vision designed to reduce hardware requirements

AI Transforms the Frontline Employee Lifecycle

High turnover in retail and manufacturing industries is often the direct result of systemic failure and fragmented technology rather than individual performance or a lack of motivation. In environments where every minute spent off the floor impacts the bottom line, a worker who cannot access their schedule or find a safety manual quickly becomes a significant flight risk. This phenomenon,

Can Your Android Device Run a Full Linux Desktop?

The modern smartphone possesses more raw computational power than the professional workstations that once powered global space exploration, yet its potential remains confined within a mobile interface. Android, while built on the robust Linux kernel, serves as a specialized environment that prioritizes touch interaction and energy efficiency over the versatile multitasking capabilities found in a traditional desktop setup. This inherent

Can Windows 11 Cloud Rebuild Replace Your Recovery USB?

The sudden failure of a primary operating system often triggers an immediate scramble for physical media, yet the necessity for a bootable USB drive is increasingly being challenged by sophisticated network-based solutions. For years, the gold standard for system recovery involved manual intervention with external hardware, which frequently contained outdated builds of Windows that required hours of patching after a

Can UiPath’s AI Strategy Bridge Its Massive Growth Gap?

The enterprise automation landscape has reached a critical juncture where the traditional efficiency gains of robotic process automation are no longer sufficient to satisfy investors who demand hyper-growth fueled by generative artificial intelligence. While UiPath built its empire on the promise of delegating repetitive tasks to software bots, the rapid emergence of agentic AI has forced a fundamental redesign of