Cybersecurity researchers have uncovered a significant campaign specifically aimed at Brazilian users, deploying a malicious extension for Chromium-based web browsers to steal sensitive authentication data. The operation, identified by Positive Technologies under the name Operation Phantom Enigma, reportedly has led to the infection of 722 systems across multiple countries, including Colombia, the Czech Republic, Mexico, Russia, and Vietnam.
According to the findings, the attackers employed phishing emails disguised as invoices, increasing the likelihood of a successful breach by sending emails from compromised company servers. These messages prompted recipients to download files from embedded links or malicious attachments. Klimentiy Galkin, a researcher at Positive Technologies, explained that the malicious extension has been downloaded multiple times, impacting as many as 70 unique companies.
The multi-stage attack process begins with an initial phishing email leading to a batch script download, which then retrieves a PowerShell script designed to disable User Account Control (UAC) and establish persistence in the victim’s system. This script configures the system to execute a list of commands, such as checking for the existence of the malicious browser extension and installing it without user interaction. The extension is capable of executing harmful JavaScript code during banking transactions, particularly targeting users of Banco do Brasil.
Furthermore, the campaign’s complexity is highlighted by various attack methods, including the deployment of Windows Installer and Inno Setup installer files instead of a traditional browser extension. Initial findings suggest that the attack’s creators might be leveraging invoice-related lures to maximize their reach. The prevalence of German language commands within the malware could imply either the attacker’s location or repurposing of existing code from other sources, adding another layer of intrigue to this troubling cybersecurity issue. Positive Technologies urges Brazilian users to remain vigilant against such threats as these methods continue to evolve.