Portuguese Bank Users Targeted in "Operation Magalenha"

Researchers at SentinelLabs published a report on the morning of May 25th that identified a sizable malicious campaign targeting users of Portuguese financial institutions. The campaign has been dubbed “Operation Magalenha”. Attackers are able to steal credentials and exfiltrate personal information from customers of over 30 Portuguese financial institutions, which then could be used for identity fraud, phishing, and other malicious activities.

After a thorough analysis, the researchers confidently concluded that the perpetrators behind “Operation Magalenha'' are of Brazilian origin. This assessment was based on several factors, including the use of Brazilian-Portuguese in code and the similarities between the threat actor’s payload and the Brazilian Maxtrilha malware family.

The list of targeted entities comprises a range of institutions, including ActivoBank, Caixa Geral de Depósitos, CaixaBank, Citibanamex, Santander, Millennium BCP, ING, Banco BPI, and Novobanco. The attackers' seem to have a thorough understanding of the Portuguese financial landscape despite being likely based outside the country, along with a willingness to invest considerable time and resources into devising precise and tailored campaigns.

Sentinel Labs' report believes that the malware is being delivered through phishing emails that appear to come from Energias de Portugal (EDP) and the Portuguese Tax and Customs Authority (AT – Autoridade Tributária e Aduaneira). After the user likely clicks a link in the email, they are taken to a fake login page of the respective site, while a malware loader is downloaded and executed in the background.

The fake login page serves two purposes. To distract the user from the background download of the malware loader, and to serve as an additional opportunity to steal their credentials for these services.

If left to download and execute, the malware loader installs two variants of a spyware dubbed “PeepingTitle” onto the user’s system. One variant reads all open windows on the user’s device, monitoring specifically for open windows on the websites of targeted institutions. If this is detected, the malware will register the infected machine with the hacker’s server, take screenshots of that window, and set up the staging of further malware.

The second PeepTitle variant registers with a separate server run by the hackers, and takes a screenshot every time the user changes the top-level window on their device. With these two spyware variants working together, the threat actors can get a detailed insight into user activity and steal their credentials.