New banking trojan “CarnavalHeist” targets Brazil with overlay attacks

May 31, 2024, 3:03 p.m.

Description

Cisco Talos has been observing an active campaign targeting Brazilian users with a new banking trojan dubbed 'CarnavalHeist'. The malware employs common tactics like financial-themed spam emails, Delphi-based DLLs, overlay attacks, and input capture techniques like keylogging and screen capture. However, it uniquely uses a Python-based loader for DLL injection and specifically targets Brazilian banking applications. Talos attributes the development and operation of CarnavalHeist to Brazilian actors identified through operational mistakes during domain registration. The campaign has been active since at least February 2024, and the trojan is still under active development.

External References

https://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/
https://otx.alienvault.com/pulse/6659de35f526bb8c20afecfb
Tags
trojan
banking
2024-05-31
brazil
keylogging
overlay
access_pc_client.dll
carnavalheist

Date

  • Created: May 31, 2024, 2:27 p.m.
  • Published: May 31, 2024, 2:27 p.m.
  • Modified: May 31, 2024, 3:03 p.m.

Indicators

  • f92af5e770018c9e1be5d934bb5699fcf4594d870988e7b18fb65501ef43f8f9
  • d3a7f22886cd294549e5f93ec18ab04e085c397ef703f5543c3b967c1172bf41
  • aadbba21380dba5028a68b44c629988b0ca517f34c1adbd68f2edd604ea507fb
  • 8c31dcbef5c00fd98e426a1ae84163b807a2c5d1476b2d306c8f7e9d01d8df23
  • 8573b7aa7ac688e2fb03845aa7903b5f58d880865e3b63c4884f8e29839a3754
  • 44df224b304a9d5d089be7d68d7e5cec4c76ec58fdc16c3f86b20a671b496cf4
  • 3445066ae58aa68c09b2476e65f96f46d0a3ae0a09366d8f9e7e592ee3f2aa0c
  • 2bcd8cc83cf31a77a556d5462a7e75c5e2120891414684a6e21612d61d734673
  • 1e8fd8531a0851bb4d8fb6d8dd4b1a9509c8a971b11b7d95871d7b39004650ad
  • 056b34444abe385addd08cc581a640b72d4f2cba05de2bfd0c897d5b273a7f28
  • 049b7067ac87e44f464cb18e454d878ca6260b667a34f48ed0046c29b45bb149
  • f2db799d892f2a7ac82bfa15826e74d778abdfa153ccafb9db1fdf56a0248a40
  • f848c0f66afc7b5a10f060c1db129529a974ae0ad71a767f7c7793351bb7ca04
  • f00cb0603c055c85c7cdf9963d919d527b13013c182dc115ba733d28da57b1d9
  • e7aa64726783ec6f7249483e984ae20b31a091a488a3ed0f83c210702c506d20
  • e50bde1e319e699f587d3b5403c487e46deed61cc3f078fe951e7cb9f6896259
  • d9877dc1ba0f977d100e687da59c216454d27e3988532652ac8f6331debbd071
  • cd9f5773bd7672a3e09f2d05ef26775e8c7241879d5f4d13c5c5bc1704c49fa1
  • c300749ea44f886be1887b3e19b946efbdbbc3e1bf3e416c78cfbff8d23bf70a
  • b8b3963967232916cd721a22c80c11cd33057bd5629dcfa3f4b03d8a6dbf1403
  • b152346c2679392d7e15d1cc72a39a21d24e55360c4c1c845ef3524924e93fa9
  • ab3a284ae6e4e466a0715c162cfab85d75522bec48fa25947b16a0891ec2358a
  • a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef
  • 883c49b7c869019951eff94699480a7ecc97c9c45060a15797ecbd5fce060d26
  • 7e0051d9221c13a47245359a2cd2804b4d3d9302a321fc8085da1cf1a64bac91
  • 8424e76c9a4ee7a6d7498c2f6826fcde390616dc65032bebf6b2a6f8fbf4a535
  • 7232e3318fdc370e611b2bcbaaec3d58a0d687927714c24dc81fe60767d53a31
  • 5782b9bc96ce5ad011c122496ff0ff0dc08d6444c6d2e98606ada82130d5f21a
  • 561e6a42e23d12abe6bba8c98f84c3ba7c45a5df840bfa6fd0dfea803c9b4b7e
  • 46e754727efdc2c891319d25a67ee999a4d8a0b21b0113db08eead42cf51b780
  • 3c89775ae7c35fe3d1ec7e75ac9d4a19959d082d31ab412af243125440ffea6c
  • 3b450994add1e3a206c56a7f8fd28e4132cffb27f3df345e07e8908d7989751f
  • 2c1251ae1ec9d417bbbdd1f6ac99baa3f16a7639d0c12cb2883ef8c22c73e58e
  • 2c53b4dc15882cf22772994d8ed0947e4a8b70aef3a12ab190017b3317c167ea
  • 278897ee9158f9843125bc2e26c14f96c4e79d5fc578b7e5973dc8dc919a3400
  • 1b4f44a00f61b3e0c8cd6c3125f03b6d4897d6ab90c8a6dc899ed96acee80dd6
  • 21e22c4736e7567b198b505ed303c3ca933e0c2d931b886756f6db18a9884a75
  • 19c02c5724622be4eedff95633f3fbaa604449aa50cc0761693bb8adb1e8cf97
  • 0d94547a0b8f9795e97e2a4a58b0ece65b4ea4b6e6019cbc96e1c79f373b4587
  • 4.203.105.118
  • 191.239.123.241
  • 191.239.116.217
  • 191.235.87.229
  • 191.235.233.246
  • 191.234.212.140
  • 191.233.248.170
  • 191.233.241.96
  • 104.41.51.80
  • https://notafiscaleletronica.nf-e.pro/danfe/?notafiscal=00510242.500611']
  • https://nota-fiscal.nfe-digital.top/nota-estadual/?notafiscal=00792011.977347']
  • https://nfe-visualizer.app.br/notas/?notafiscal=000851113082.35493424000']
  • https://191.239.123.241
  • https://191.239.116.217
  • https://191.235.233.246
  • https://191.234.212.140
  • https://104.41.51.80
  • https://191.233.241.96
  • http://191.235.87.229/Documentos/dc/c.cmd']
  • notafiscaleletronica.nf-e.pro
  • nfe-visualizer.app.br
  • nota-fiscal.nfe-digital.top
Download all indicators here!

Attack Patterns

  • Access_PC_Client.dll
  • CarnavalHeist
  • Brazilian actors

Additional Informations

  • Finance
  • Brazil