Attackers use new CapturaTela info-stealing malware to launch ‘Operation Comando’ campaign

• Threat actors used CapturaTela to steal credit card information from customers.
• The campaign is mainly used to target Brazilians and is carried out via phishing emails.

A new cyberespionage campaign that is used to steal credit card information from customers has surfaced recently. Dubbed as ‘Operation Comando’, the campaign has been active since August 2018. However, researchers were able to identify it in December 2018.

What is the matter - According to Palo Alto Networks Unit 42, the threat actors used a new info-stealing malware named CapturaTela to steal credit card information from customers. Research highlighted that the hotel reservations were the primary target of the malware family.

“The continuous use of the 'CDT' acronym, and the presence of the word 'Comando', which we could associate to the first letter, led to us to choose 'Operation Comando' to describe this campaign,” said Palo Alto Unit 42 researchers.

How do they operate - The campaign is mainly used against Brazilians and is carried out via phishing emails. These emails are sent under various subjects such as ‘Reserva para tres quartos', 'Reserva Veirano Advogador', 'Corrigir data da reserva para o dia 03', 'Voucher para reserva' and 'Reserva'. These emails contain a malicious attachment which is in either .docx or .ppam or .ppa format.

“The attackers make use of multiple common off-the-shelf methods that are observed in many campaigns, such as external references to remote scripts executed by MSHTA. Following this approach, this actor can find multiple tools and resources to perform their activities, and at the same time, make attribution and tracking more difficult for analysts,” Palo Alto Unit 42 researchers explained.

Once the user clicks on any of these documents, a malicious macro is launched which later downloads CapturaTela as one of its several payloads.

Extensive use of other RAT families - Apart from CapturaTela trojan, the actors made use of several other remote access trojans to perform its malicious activities. This included LimeRAT, RevengeRAT, NjRAT, AsyncRAT, NanCoreRAT and RemcosRAT.

These RAT families potentially helped in increasing the attack vector of the attackers involved in the ‘Operation Comando’ campaign. They can assist attackers in obtaining credit card purchase results stolen from target websites via infected victims.