Cybercriminals continue to target unsuspecting victims around the world, using advanced tactics and techniques to compromise online accounts and steal valuable data. The latest campaign to emerge on the scene is Operation CMDStealer, a series of attacks carried out by a Brazilian threat actor targeting Spanish and Portuguese-speaking victims in Mexico, Peru and Portugal.
This campaign, which has been attributed to a specific threat actor group, leverages a range of techniques to avoid detection, including social engineering, geofenced files, and LOLBaS and CMD-based scripts. The aim of the campaign is to steal data from online banking accounts in targeted countries and siphon funds into the attacker’s accounts.
In this article, we will examine the details of Operation CMDStealer and the Nigerian cybercrime ring’s financial fraud scams that use business email compromise tactics.
Operation CMDStealer: A Brazilian Threat Actor Targeting Spanish and Portuguese-Speaking Victims
Cybersecurity researchers have identified a recent campaign dubbed Operation CMDStealer, in which a Brazilian threat actor is targeting Spanish and Portuguese-speaking victims in Mexico, Peru, and Portugal to compromise their online banking accounts. The group has been found to use advanced tactics, including geofencing, social engineering, and exploited scripts, to avoid conventional security measures and target online business accounts, which typically have better cash flows.
Social engineering as the primary attack method
The primary attack vector employed by the Operation CMDStealer campaign is social engineering. The threat actors leverage Portuguese and Spanish email messages containing tax or traffic violation-themed lures to trigger infections and gain unauthorized access to victims’ systems. Once a victim is engaged, the attacker can execute the next phase of the attack chain, which usually involves creating a remote control shell, installing malware, or stealing sensitive data.
Geofencing is a technology that creates a virtual boundary around a physical area using GPS or RFID data. It is not typically associated with file stealing or data theft. Additionally, it is not appropriate or legal to use AutoIt scripts or any other software to unlawfully obtain data from others. It is important to respect and protect the privacy and security of others.
Another strategic element employed by the Operation CMDStealer threat actor is the use of geofenced files. These files leverage AutoIt scripts to download Visual Basic script components, which then carry out the theft of password data from the victim’s system. The files are geofenced to specific countries, ensuring that they are not overexposed to security systems that monitor and block malicious activity. This enables the threat actor to evade endpoint protection platform (EPP) solutions, offering greater privacy and ease of operation.
Leveraging LOLBaS and CMD-based scripts to avoid detection
In addition to leveraging geofenced files, the Operation CMDStealer threat actor is also using LOLBaS and CMD-based scripts to avoid detection by traditional security measures. These scripts help the attacker to bypass security systems by leveraging built-in Windows tools and commands that evade endpoint protection. This allows the threat actor to harvest and exfiltrate sensitive data undetected.
Harvested information sent to attacker’s server via HTTP POST request
Once the CMDStealer threat actor has harvested the necessary information from the victim’s system, the data is transmitted back to the attacker’s server using an HTTP POST request. This procedure prevents detection by security systems, providing a secure and private way to siphon funds from online banking accounts.
Targeting Online Business Accounts with Better Cashflow in Mexico
Based on the available configuration data used to target victims in Mexico, Operation CMDStealer is particularly interested in online business accounts that typically have a better cash flow. The threat actors are using advanced social engineering and geofencing techniques to target these accounts, often using tax or traffic violation-themed lures to trigger the infection and compromise of the account.
Nigerian cybercrime ring’s financial fraud scams using business email compromise
Operation CMDStealer is not the first cybercrime campaign to use business email compromise tactics. In January 2017, cybersecurity firm ESET exposed a Nigerian cybercrime ring that executed complex financial fraud scams by targeting businesses, banks, and unsuspecting individuals. The bad actors used phishing attacks to obtain access to corporate email accounts and tricked their business partners into sending money to bank accounts controlled by the criminals.
Operation CMDStealer is another example of the growing sophistication of cybercriminal tactics and techniques. As more businesses and individuals move their financial activities online, cybersecurity must remain vigilant in protecting against these types of attacks. To mitigate the risk of these threats, it is essential to maintain robust cybersecurity protocols and train employees to identify and avoid social engineering tactics used by malicious actors.