Mexican users have been the target of tax-related phishing swindles since at least November 2023 in order to distribute a previously undocumented Windows malware called TimbreStealer.
The authors were described as skilled and as having previously used similar tactics, techniques, and procedures ( TTPs ) to distribute a banking trojan known as Mispadu in September 2023, according to Cisco Talos, the discovery of the activity.
The phishing campaign uses geofencing to target users in Mexico, as well as sophisticated obfuscation methods to avoid detection and maintain persistence, and sends harmless blank PDF files as opposed to malicious ones if paidload sites are contacted from other locations.
Utilizing Heaven’s Gate to execute 64-bit code within a 32-bit process, an approach that was also recently adopted by HijackLoader, are some notable evasive maneuvers that include using custom loaders and direct system calls to bypass conventional API monitoring.
The malware includes a number of embedded modules for orchestration, decryption, and protection of the main binary, as well as performing a number of checks to determine whether it is running a sandbox environment, its system language is not Russian, and its timezone is in a Latin American region.
Before launching a payload installer component that displays a benign decoy file to the user, the orchestrator module searches for files and registry keys to make sure the machine has n’t been previously infected, as it ultimately causes TimbreStealer’s primary payload to be executed.
The payload is intended to look for files that match specific extensions, look for credentials from various folders, system metadata, and the accessed URLs, and verify the existence of remote desktop software.
Although the target industries of TimbreStealer are diverse and have a focus on the manufacturing and transportation sectors, Cisco Talos said it found overlaps with a Mispadu spam campaign that was run in September 2023.
The disclosure comes as a new version of Atomic ( also known as AMOS), which uses an unusual combination of Python and Apple Script code to gather information from Apple macOS systems, including local user account passwords, credentials from Mozilla Firefox and Chromium-based browsers, crypto wallet information, and files of interest.
The new variant is” the new variant drops and uses a Python script to stay secret,” according to Bitdefender researcher Andrei Lapusneanu, noting that the victim’s computer’s Apple Script block exhibits a” significantly high level of similarity” with the RustDoor backdoor.
Even as existing strains like Agent Tesla and Pony (aka Fareit or Siplog ) continued to be used for information theft and subsequent sale on stealer logs marketplaces like Exodus, it also comes as a result of the release of new stealer malware families like XSSLite, which was released as part of a malware development competition hosted by the XSS forum.