Hidden Python scripts and fake invoices do not leave a chance for potential victims.
Cybercriminals are increasingly using Word documents for attacks because of their wide distribution and user trust. This is due to the ease with which you can trick people into opening such files.
Malicious documents may contain macros or vulnerabilities that activate the execution of malicious code on the victim's computer. This allows attackers to steal data, install malware, or even gain remote access to the system.
Recently, cybersecurity researchers at Cisco Talos discovered that a piece of malware called " CarnavalHeist "("carnival heist") actively uses Word documents to steal credentials.
According to experts, CarnavalHeist is aimed primarily at Brazilian users. This is evidenced by the use of exclusively Portuguese and Brazilian slang, as well as the C2 infrastructure located in the BrazilSouth region of the Microsoft Azure hosting platform. The main targets of the attack are the country's leading financial institutions.
Despite the fact that the first samples of CarnavalHeist appeared on VirusTotal at the end of 2023, the development of the campaign continues to this day. In May 2024, experts from Talos continue to identify new samples of this malware.
The malware is distributed via emails with the subject "invoice". Users receive emails with shortened URLs that redirect them to fake websites with invoices. A malicious LNK shortcut file is downloaded from these sites via WebDAV, which triggers the next stage of the attack.
The attack makes extensive use of Portuguese terms such as "Nota Fiscal Eletrônica" (electronic invoice) to increase the trust of Brazilian users. The malware uses deceptive techniques, such as displaying a false PDF document while running malicious code in the background.
CarnavalHeist uses hidden Python scripts, dynamically generated domains, and malicious DLLs to load the banking Trojan. The Trojan attacks Brazilian financial institutions by performing overlay attacks, capturing credentials, screenshots, and videos, and providing remote access. One of the Trojan's features is also generating QR codes to steal transactions.
Cisco researchers reported that CarnavalHeist uses a Domain Generation algorithm (DGA) that dynamically creates subdomains in the Azure BrazilSouth region to download malware and communicate with the command server.
The evidence identified by experts indicates that the CarnavalHeist campaign may be active from November 2023, but the most intense activity began only in February of this year.
Cybercriminals are increasingly using Word documents for attacks because of their wide distribution and user trust. This is due to the ease with which you can trick people into opening such files.
Malicious documents may contain macros or vulnerabilities that activate the execution of malicious code on the victim's computer. This allows attackers to steal data, install malware, or even gain remote access to the system.
Recently, cybersecurity researchers at Cisco Talos discovered that a piece of malware called " CarnavalHeist "("carnival heist") actively uses Word documents to steal credentials.
According to experts, CarnavalHeist is aimed primarily at Brazilian users. This is evidenced by the use of exclusively Portuguese and Brazilian slang, as well as the C2 infrastructure located in the BrazilSouth region of the Microsoft Azure hosting platform. The main targets of the attack are the country's leading financial institutions.
Despite the fact that the first samples of CarnavalHeist appeared on VirusTotal at the end of 2023, the development of the campaign continues to this day. In May 2024, experts from Talos continue to identify new samples of this malware.
The malware is distributed via emails with the subject "invoice". Users receive emails with shortened URLs that redirect them to fake websites with invoices. A malicious LNK shortcut file is downloaded from these sites via WebDAV, which triggers the next stage of the attack.
The attack makes extensive use of Portuguese terms such as "Nota Fiscal Eletrônica" (electronic invoice) to increase the trust of Brazilian users. The malware uses deceptive techniques, such as displaying a false PDF document while running malicious code in the background.
CarnavalHeist uses hidden Python scripts, dynamically generated domains, and malicious DLLs to load the banking Trojan. The Trojan attacks Brazilian financial institutions by performing overlay attacks, capturing credentials, screenshots, and videos, and providing remote access. One of the Trojan's features is also generating QR codes to steal transactions.
Cisco researchers reported that CarnavalHeist uses a Domain Generation algorithm (DGA) that dynamically creates subdomains in the Azure BrazilSouth region to download malware and communicate with the command server.
The evidence identified by experts indicates that the CarnavalHeist campaign may be active from November 2023, but the most intense activity began only in February of this year.
