Hackers have been utilizing Word documents as a weapon due to their widespread use and the trust that users place in them. These malicious documents are designed to deceive users into opening them, allowing hackers to run malicious code on victims’ machines. This enables attackers to steal data, install malware, or gain remote control over systems.
In a recent discovery by cybersecurity researchers at Cisco Talos, a new malware strain known as “CarnavalHeist” has been actively exploiting Word documents to steal login credentials. The malware appears to specifically target Brazilians, as it uses only Portuguese language and Brazilian slang. Furthermore, the command and control infrastructure of CarnavalHeist is located in the Microsoft Azure hosting facility in Brazil, focusing on leading financial institutions in the region.
Since late 2023, samples of CarnavalHeist have been detected on VirusTotal, indicating ongoing development. As of May 2024, Talos continues to identify new samples of this malware targeting Brazilian users. The attack begins with malicious invoice-themed emails that lure users into clicking on shortened URLs, redirecting them to fake invoice websites. These websites then download a malicious LNK file through WebDAV, which runs the next stage payload.
To enhance the social engineering lures for Brazilian users, the attack extensively uses Portuguese terms such as “Nota Fiscal Eletrônica” (electronic invoice) across domains, files, and contents. The metadata of the LNK file contains common threat actor techniques for executing malicious commands, such as displaying a false PDF document to mislead users while running malicious code in the background. The malware also employs obscured Python scripts, dynamically generated domains, and DLLs injected into loading a banking Trojan payload.
The banking Trojan payload targets Brazilian financial institutions using overlay attacks to capture credentials, screenshots, and videos, as well as enabling remote access. One of its capabilities includes the generation of QR codes to steal transactions. Exposed project metadata and domain registration details have pointed to individuals in Brazil involved in certain aspects of these campaigns.
According to Cisco, CarnavalHeist utilizes a domain generation algorithm (DGA) to dynamically create subdomains under the Azure BrazilSouth region for downloading payloads and communication. The Python script generates probable subdomains using dates and an embedded string, while the final payload exploits seed values associated with targeted banks in conjunction with date and time parameters to form the C2 domains.
Telemetry sources of generated DGA domains indicate that the campaign may have been active since November 2023, with intensified activities beginning in February 2024. The ongoing threat posed by CarnavalHeist highlights the importance of maintaining vigilance and implementing robust cybersecurity measures to protect against such malicious attacks.