New banking trojan “CarnavalHeist” targets Brazil with overlay attacks

May 31, 2024, 3:03 p.m.

Description

Cisco Talos has been observing an active campaign targeting Brazilian users with a new banking trojan dubbed 'CarnavalHeist'. The malware employs common tactics like financial-themed spam emails, Delphi-based DLLs, overlay attacks, and input capture techniques like keylogging and screen capture. However, it uniquely uses a Python-based loader for DLL injection and specifically targets Brazilian banking applications. Talos attributes the development and operation of CarnavalHeist to Brazilian actors identified through operational mistakes during domain registration. The campaign has been active since at least February 2024, and the trojan is still under active development.

Date

Published: May 31, 2024, 2:27 p.m.

Created: May 31, 2024, 2:27 p.m.

Modified: May 31, 2024, 3:03 p.m.

Indicators

f92af5e770018c9e1be5d934bb5699fcf4594d870988e7b18fb65501ef43f8f9

d3a7f22886cd294549e5f93ec18ab04e085c397ef703f5543c3b967c1172bf41

aadbba21380dba5028a68b44c629988b0ca517f34c1adbd68f2edd604ea507fb

8c31dcbef5c00fd98e426a1ae84163b807a2c5d1476b2d306c8f7e9d01d8df23

8573b7aa7ac688e2fb03845aa7903b5f58d880865e3b63c4884f8e29839a3754

44df224b304a9d5d089be7d68d7e5cec4c76ec58fdc16c3f86b20a671b496cf4

3445066ae58aa68c09b2476e65f96f46d0a3ae0a09366d8f9e7e592ee3f2aa0c

2bcd8cc83cf31a77a556d5462a7e75c5e2120891414684a6e21612d61d734673

1e8fd8531a0851bb4d8fb6d8dd4b1a9509c8a971b11b7d95871d7b39004650ad

056b34444abe385addd08cc581a640b72d4f2cba05de2bfd0c897d5b273a7f28

049b7067ac87e44f464cb18e454d878ca6260b667a34f48ed0046c29b45bb149

f2db799d892f2a7ac82bfa15826e74d778abdfa153ccafb9db1fdf56a0248a40

f848c0f66afc7b5a10f060c1db129529a974ae0ad71a767f7c7793351bb7ca04

f00cb0603c055c85c7cdf9963d919d527b13013c182dc115ba733d28da57b1d9

e7aa64726783ec6f7249483e984ae20b31a091a488a3ed0f83c210702c506d20

e50bde1e319e699f587d3b5403c487e46deed61cc3f078fe951e7cb9f6896259

d9877dc1ba0f977d100e687da59c216454d27e3988532652ac8f6331debbd071

cd9f5773bd7672a3e09f2d05ef26775e8c7241879d5f4d13c5c5bc1704c49fa1

c300749ea44f886be1887b3e19b946efbdbbc3e1bf3e416c78cfbff8d23bf70a

b8b3963967232916cd721a22c80c11cd33057bd5629dcfa3f4b03d8a6dbf1403

b152346c2679392d7e15d1cc72a39a21d24e55360c4c1c845ef3524924e93fa9

ab3a284ae6e4e466a0715c162cfab85d75522bec48fa25947b16a0891ec2358a

a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef

883c49b7c869019951eff94699480a7ecc97c9c45060a15797ecbd5fce060d26

7e0051d9221c13a47245359a2cd2804b4d3d9302a321fc8085da1cf1a64bac91

8424e76c9a4ee7a6d7498c2f6826fcde390616dc65032bebf6b2a6f8fbf4a535

7232e3318fdc370e611b2bcbaaec3d58a0d687927714c24dc81fe60767d53a31

5782b9bc96ce5ad011c122496ff0ff0dc08d6444c6d2e98606ada82130d5f21a

561e6a42e23d12abe6bba8c98f84c3ba7c45a5df840bfa6fd0dfea803c9b4b7e

46e754727efdc2c891319d25a67ee999a4d8a0b21b0113db08eead42cf51b780

3c89775ae7c35fe3d1ec7e75ac9d4a19959d082d31ab412af243125440ffea6c

3b450994add1e3a206c56a7f8fd28e4132cffb27f3df345e07e8908d7989751f

2c1251ae1ec9d417bbbdd1f6ac99baa3f16a7639d0c12cb2883ef8c22c73e58e

2c53b4dc15882cf22772994d8ed0947e4a8b70aef3a12ab190017b3317c167ea

278897ee9158f9843125bc2e26c14f96c4e79d5fc578b7e5973dc8dc919a3400

1b4f44a00f61b3e0c8cd6c3125f03b6d4897d6ab90c8a6dc899ed96acee80dd6

21e22c4736e7567b198b505ed303c3ca933e0c2d931b886756f6db18a9884a75

19c02c5724622be4eedff95633f3fbaa604449aa50cc0761693bb8adb1e8cf97

0d94547a0b8f9795e97e2a4a58b0ece65b4ea4b6e6019cbc96e1c79f373b4587

4.203.105.118

191.239.123.241

191.239.116.217

191.235.87.229

191.235.233.246

191.234.212.140

191.233.248.170

191.233.241.96

104.41.51.80

https://notafiscaleletronica.nf-e.pro/danfe/?notafiscal=00510242.500611']

https://nota-fiscal.nfe-digital.top/nota-estadual/?notafiscal=00792011.977347']

https://nfe-visualizer.app.br/notas/?notafiscal=000851113082.35493424000']

https://191.239.123.241

https://191.239.116.217

https://191.235.233.246

https://191.234.212.140

https://104.41.51.80

https://191.233.241.96

http://191.235.87.229/Documentos/dc/c.cmd']

notafiscaleletronica.nf-e.pro

nfe-visualizer.app.br

nota-fiscal.nfe-digital.top

Attack Patterns

Access_PC_Client.dll

CarnavalHeist

Brazilian actors

Additional Informations

Finance

Brazil