In order to attack online banking accounts in Mexico, Peru, and Portugal, an unidentified cybercrime threat actor has been shown to target victims who speak Spanish and Portuguese.

The BlackBerry Research and Intelligence Team stated in a study released last week that "this threat actor employs tactics such as LOLBaS (living-off-the-land binaries and scripts), along with CMD-based scripts to carry out its malicious activities."

Based on an examination of the artefacts, the cybersecurity firm determined that a Brazilian threat actor was responsible for the Operation CMD Stealer campaign. The attack chain relies on social engineering largely, using emails in Portuguese and Spanish with baits themed around taxes or traffic infractions to start infections and obtain access to victims' computers. The emails have an HTML attachment that contains obfuscated code to get the next-stage payload, which takes the form of a RAR archive file, from a remote server. The files include a and are geofenced to a certain nation. A CMD file, which in turn contains an AutoIt script, is designed to download a Visual Basic script, which will be used to steal Microsoft Outlook and browser password information.

"Scripts based on LOLBaS and CMD assist threat actors in evading typical security measures. The scripts make use of default Windows commands and tools, which enables the threat actor to avoid endpoint protection platform (EPP) solutions and get around security measures, according to BlackBerry.

An HTTP POST request technique is used to send the information that has been collected back to the server of the attacker. The threat actor is interested in online business accounts since they often have a stronger cash flow, according to the configuration used to target victims in Mexico, the Canadian cybersecurity firm said.

The development is the most recent in a long series of malicious software activities coming out of Brazil that are driven by financial gain.