One new cyber threat, named the Eternidade Stealer, has recently appeared and is mainly infecting devices in Brazil by using a refined infection technique. Now, security researchers have attributed this malware to being deployed from an MSI installer. It deploys its components using an AutoIt script to a pretty effective degree. Security researchers have noted that it does a real time check on the OS language. This makes sure that the breached system is very much rooted in Brazil, catering exclusively to the Brazilian Portuguese.
The attack starts with an obfuscated Visual Basic Script, mostly filled with comments in Portuguese. This script provides the underlying communication with an off-device server. It draws on publicly available information from an inbox linked to a terra.com.br email address. Once run, the MSI installer drops multiple payloads, one of which is a critical AutoIt script that auto starts other malicious actions.
Infection Method and Execution
The first stage of the Eternidade Stealer consists in executing an obfuscated Visual Basic Script aimed at bypassing detection. This script transfers files from a remote server. Then, using Internet Message Access Protocol (IMAP), it downloads command-and-control (C2) addresses.
“It uses Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control (C2) addresses, allowing the threat actor to update its C2 server,” – Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi.
Once run successfully, the AutoIt script profiles the infected machine and returns relevant information to the C2 server. This information gathering is critical for the bad actors to know the layout of the land they’re playing on, so that their attacks can continue to be successful.
The targeting specificities of this malware are lethal, literally. The AutoIt script will only continue if it is able to determine that the system’s language is set to Brazilian Portuguese. Unfortunately, this geofencing tactic completely blocks connections from all other countries, redirecting them to “google.com/error.” As a matter of fact, 452 of those 454 visits were completely prevented because of these limitations.
Geofencing and Implications
Eternidade Stealer’s geofencing capability has been incredibly successful. The malware restricts its targeting to only Brazilian systems. This regional concentration greatly reduces the danger of its exposure outside of the chosen region. Our analysis found that 115 of these connections originated from Windows operating systems. On top of that, it logged ingress from macOS, Linux, and Android devices.
Experts caution that the ramifications of this type of malware could be much further-reaching.
“Although the malware family and delivery vectors are primarily Brazilian, the possible operational footprint and victim exposure are far more global,” – Trustwave.
This case illustrates a more insidious trend in cyber threats, as localized attacks can lead to widespread impact.
Similarities with Previous Campaigns
In their analysis of Eternidade Stealer campaign, security researchers have pointed out similarities to past attacks, specifically calling out the Water Saci. They stress that Eternidade uses different infrastructure and methods which make it unique.
The most remarkable part of all is its behavior. It’s an implementation that’s the very definition of a classic banker/overlay stealer move. The active malware components stay inactive until whenever the victim tries to open a specific banking or e-wallet application. This intentional postponement makes sure attacks only activate in the correct environments. They end up being much harder to detect for average users or sandboxing environments.
“Such a behavior reflects a classic banker or overlay-stealer tactic, where malicious components lie dormant until the victim opens a targeted banking or wallet application,” – Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi.
As cyber threats adapt, the tactics used by these attackers require a more complex approach. The combination of using Python scripts with well-known tactics like geofencing is a disturbing indicator in the growing threats to cyber security.
