Earlier this year, threat actors carried out a campaign to steal the personal and financial information of customers of Portuguese banks, including private and government and institutions.
Researchers from SentinelLabs branded it “Operation Magalenha,” in a report published the morning of May 25. Magalenha is notable both for its payload, “PeepingTitle” — a multifunctional backdoor written in the Delphi programming language — and its scattershot approach to cyber espionage.
The researchers assessed “with high confidence” that Magalenha’s perpetrators were Brazilian, as evidenced by their use of Brazilian-style Portuguese in their code, as well as PeepingTitle’s overlaps with the Brazilian Maxtrilha malware family.
Altogether, the campaign provides a window into the ecosystem of cybercrime in Brazil today.
“That region is generally underreported or missed throughout the security industry,” says Tom Hegel, senior threat researcher at SentinelOne, “but there’s a lot going on. It’s a very messy ecosystem of threat actors.”
Cybercrime Operation Magalenha
Operation Magalenha was indiscriminate in its first phase, utilizing phishing emails, malicious websites with fake app installers, and related forms of social engineering in order to lure in targets. Infection then began when targets unwittingly executed a malicious Visual Basic script.
The script did triple duty. On one hand, it opened login pages for Energias de Portugal and the Portuguese Tax and Customs Authority, with the purpose of drawing attention away from its second function: dropping a malware loader. If a victim actually entered their Energias or Customs credentials — in the latter’s case, often government-issued credentials — the program harvested them for future use.
Next, the malware loader would download PeepingTitle, an info-stealing backdoor written in Delphi. Delphi is a general purpose programming language that one rarely hears much about in cyber circles up north.
“It’s funny you mention that,” Hegel says, when the topic comes up. “When we first started looking into this campaign, knowing it was linked to Brazil, we were immediately like: It’s probably Delphi.” There isn’t any identifiable technical reason for Delphi’s relatively localized popularity, Hegel thinks. “A lot of it’s just because of the way that education is done there, because everyone out in that region tends to know it.”
The Delphi-driven PeepingTitle works by tracking the websites a victim has visited. If someone visited a domain belonging to a Portuguese financial institution, the malware awakens: connecting to a C2 server, taking screenshots, exfiltrating data, and potentially staging further malware.
In general, Hegel says, “it’s on par with what you expect of a normal financial malware. It purely focuses on being able to get this data outbound and limit detection as much as possible.”
That said, Magalenha targeted both personal and financial data from individuals and institutions alike in the government and private sectors. “So there’s more than just your regular financial theft — there are clues to ulterior objectives that they may be pursuing, like initial access brokering,” Hegel adds.
PeepingTitle: A Malware in Flux
Also notable about PeepingTitle is that it comes in two variants. But the variants have hardly any meaningful difference between them, besides the fact that one captured a victim’s browser window, while the other captured the entire screen. Hegel thinks “it may indicate that the attackers evolved to add second capabilities later on, or it’s just purely experimentation.”
“I think this points to the fact that it’s not extremely well planned out,” he adds.
Besides the alike variants, he points to other evidence of the hackers’ lack of discipline, like their experimentation with different infrastructure — swapping American provider DigitalOcean for a more lax Russian service, TimeWeb, for instance — and the relatively unfocused nature of their information stealing.
“If this was somebody more capable,” Hegel concludes, “they might go through the process of thinking about what they want to connect to and steal, and do it in a single package rather than multiple packages, which increases the potential of getting caught. Instead, there’s just a lot of experimenting, a lot of playing, and not a lot of deep, strategic planning.”