Targeted banks include Banco do Brasil, Bradesco, Itaú Unibanco, and others. The attack begins with phishing messages containing malicious Windows shortcut files disguised as PDFs. Once opened, these files execute commands to download and activate the malware, leveraging a complex chain of PowerShell scripts, Python binaries, and DLL injections. AllaSenha is capable of stealing credentials, intercepting two-factor authentication (2FA) codes, and tricking victims into approving fraudulent transactions.
Attribution and Impact
Cisco Talos traced the malware to two Brazilian threat actors, identifying them through operational errors during domain registrations. Active since 2023, the campaigns saw a surge in infections from February to April 2024, as attackers aggressively targeted financial institutions to extract sensitive data.
Android Banking Trojan “Anatsa” Hits Google Play
Windows isn’t the only platform in jeopardy. Anatsa, an Android banking trojan, recently infiltrated the Google Play Store through legitimate-looking apps like PDF readers and QR code scanners. These apps, acting as clean droppers, downloaded malware disguised as app updates. Once installed, Anatsa exfiltrated sensitive financial data using overlay and accessibility techniques. Google has since removed these malicious apps.
Both cases highlight the growing sophistication of banking malware across platforms, underscoring the need for robust security measures to protect financial information.