Hackers exploit the widespread use and trust of Word documents, easily deceiving users into opening them. These documents can contain macros or exploits that run malicious code, enabling data theft, malware installation, or remote system control. Cisco Talos researchers recently discovered that the malware “CarnavalHeist” is using Word documents to steal login credentials.
CarnavalHeist Uses Word Documents
CarnavalHeist is highly likely targeting Brazilians, as it uses Portuguese and Brazilian slang, with C2 infrastructure in Microsoft’s BrazilSouth region, focusing on leading Brazilian financial institutions. Notably, its activity has been observed since February 2024.
Although samples appeared on VirusTotal since late 2023, CarnavalHeist is still actively developing. As of May 2024, Talos continues to identify new Brazilian samples.
The malware spreads via malicious invoice-themed emails, luring users to click shortened URLs that redirect to fake invoice websites.
The website downloads a malicious LNK file via WebDAV, which executes the next stage payload. The attack employs Portuguese terms like “Nota Fiscal Eletrônica” (electronic invoice) across domains, files, and content to enhance social engineering lures for Brazilian users.
The LNK file’s metadata reveals common threat actor techniques for executing malicious commands. The malware deceives users by displaying a fake PDF document while running malicious code in the background. It uses obscured Python scripts, dynamically generated domains, and DLLs to load a banking Trojan payload.
This Trojan targets Brazilian financial institutions with overlay attacks, capturing credentials, screenshots, and video, and enabling remote access.
One of its features is generating QR codes to steal transactions.
Exposed project metadata and domain registration details link the campaign to individuals in Brazil. Cisco identified CarnavalHeist as using a domain generation algorithm (DGA) to create subdomains under the Azure BrazilSouth region for payload downloads and C2 communications.
The Python script uses dates and embedded strings to create subdomains, while the final payload exploits seed values tied to targeted banks along with date and time parameters to form the C2 domains.
Evidence suggests the campaign has been active since November 2023, with intensive activities starting in February 2024, according to telemetry analysis of generated DGA domains.
IOCS
IP addresses @ Microsoft Azure
104[.]41[.]51[.]80
191[.]239[.]116[.]217
191[.]239[.]123[.]241
191[.]233[.]241[.]96
191[.]234[.]212[.]140
191[.]235[.]233[.]246
4[.]203[.]105[.]118
191[.]233[.]248[.]170
Initial download URLS
hxxps[://]is[.]gd/38qeon?0177551.5510
hxxps[://]is[.]gd/ROnj3W?0808482.5176
hxxps[://]notafiscaleletronica[.]nf-e[.]pro/danfe/?notafiscal=00510242.500611
hxxps[://]nota-fiscal[.]nfe-digital[.]top/nota-estadual/?notafiscal=00792011.977347
hxxps[://]nfe-visualizer[.]app[.]br/notas/?notafiscal=000851113082.35493424000
hxxp[://]adobe-acrobat-visualizer[.]brazilsouth[.]cloudapp[.]azure[.]com/Documentos
search:query=NotaFiscal[.]pdf&crumb=location:\4[.]203[.]105[.]118@80\Documentos&displayname=Downloads
search:query=NotaFiscal[.]pdf&crumb=location:\191[.]233[.]248[.]170@80\Documentos&displayname=Downloads
LNK file @ Azure
hxxps[://]104[.]41[.]51[.]80@80/Documentos/files/a3[.]cmd
hxxps[://]191[.]239[.]116[.]217@80/Documentos/files/a3[.]cmd
hxxps[://]191[.]239[.]123[.]241@80/Documentos/files/a3[.]cmd
hxxps[://]191[.]233[.]241[.]96@80/Documentos/files/a3[.]cmd
hxxps[://]191[.]234[.]212[.]140@80/Documentos/files/a3[.]cmd
hxxps[://]191[.]235[.]233[.]246@80/Documentos/files/a3[.]cmd
hxxp:[//]191[.]235[.]87[.]229/Documentos/dc/c[.]cmd
\abrir-documento-adobe-reader-1[.]brazilsouth[.]cloudapp[.]azure[.]com@80\Documentos\dc\c[.]cmd
Leave A Comment