How did the invoice go viral and why did emails become so dangerous?
According to Trustwave SpiderLabs, a new phishing campaign has hit Latin America, during which Windows systems are infected with viruses through emails.
The attack chain starts with sending out emails with a ZIP file attachment. After unpacking the archive, an HTML file opens, which redirects the user to download a fraudulent file disguised as an invoice. The email sender used an address with the domain "temporary [.] link", and Roundcube Webmail is specified as the mail agent.
A special feature of the HTML file is a link that leads to a page with a message about account suspension. This happens when connecting from outside of Mexico. However, when accessed from an IP address from Mexico, a page opens with a CAPTCHA from Cloudflare Turnstile, which is an introduction to downloading a malicious RAR archive. This archive contains a PowerShell script that collects information about the system and checks for antivirus software on the infected computer.
Message about account suspension when accessing from another region (left) and CAPTCHA page when connecting from Mexico (right)
The archive includes Base64-encoded strings intended for executing PHP scripts that determine the user's country and download a ZIP file from Dropbox containing "a lot of suspicious files". Trustwave experts note that this campaign has similar features to the previous Horabot botnet campaign directed against Spanish-speaking users in Latin America.
Experts noted that using newly created domains and providing access to them only in certain countries is another method of evasion. Especially if the domain behaves differently depending on the target country.
According to Trustwave SpiderLabs, a new phishing campaign has hit Latin America, during which Windows systems are infected with viruses through emails.
The attack chain starts with sending out emails with a ZIP file attachment. After unpacking the archive, an HTML file opens, which redirects the user to download a fraudulent file disguised as an invoice. The email sender used an address with the domain "temporary [.] link", and Roundcube Webmail is specified as the mail agent.
A special feature of the HTML file is a link that leads to a page with a message about account suspension. This happens when connecting from outside of Mexico. However, when accessed from an IP address from Mexico, a page opens with a CAPTCHA from Cloudflare Turnstile, which is an introduction to downloading a malicious RAR archive. This archive contains a PowerShell script that collects information about the system and checks for antivirus software on the infected computer.
Message about account suspension when accessing from another region (left) and CAPTCHA page when connecting from Mexico (right)
The archive includes Base64-encoded strings intended for executing PHP scripts that determine the user's country and download a ZIP file from Dropbox containing "a lot of suspicious files". Trustwave experts note that this campaign has similar features to the previous Horabot botnet campaign directed against Spanish-speaking users in Latin America.
Experts noted that using newly created domains and providing access to them only in certain countries is another method of evasion. Especially if the domain behaves differently depending on the target country.
