A Brazilian threat actor is targeting Portuguese financial institutions with information-stealing malware as part of a long-running campaign that commenced in 2021.

“The attackers can steal credentials and exfiltrate users’ data and personal information, which can be leveraged for malicious activities beyond financial gain,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a new report shared with The Hacker News.

The cybersecurity firm, which began tracking “Operation Magalenha” earlier this year, said the intrusions culminate in the deployment of two variants of a backdoor called PeepingTitle so as to “maximize attack potency.”

The links to Brazil stem from the use of the Brazilian-Portuguese language within the detected artifacts as well as source code overlaps with another banking trojan known as Maxtrilha, which was first disclosed in September 2021.

PeepingTitle, like Maxtrilha, is written in the Delphi programming language and is equipped to grant the attacker full control over the compromised hosts as well as capture screenshots and drop additional payloads.

The attack chains begin with phishing emails and rogue websites hosting fake installers for popular software that are engineered to launch a Visual Basic Script responsible for executing a malware loader. The loader subsequently downloads and executes the PeepingTitle backdoors.

PeepingTitle monitors users’ web browsing activity, and if a browser tab matching one of the target financial institutions is opened, it exfiltrates screen captures and stages further malware executables from a remote server.

This is achieved by comparing the window title to a predefined set of strings related to targeted organizations, but not before transforming it into lowercase string san any whitespace characters.

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!