Who needs such exclusivity in the origin of the victims?
Cisco Talos reports that since the beginning of November 2023, Mexican users have been the target of a phishing campaign that spreads a new malware for Windows called TimbreStealer.
The phishing campaign uses decoy documents related to taxes. The operation uses sophisticated obfuscation techniques to bypass malware detection and resilience systems. In addition, the campaign uses geofiltration, which allows you to target only users from Mexico. When trying to access malicious sites from other regions, users receive a harmless blank PDF document instead of a malicious file.
Notable tricks include the use of custom loaders and direct system calls to bypass API monitoring, as well as Heaven's Gate, a tool that allows malware to bypass endpoint security by calling 64-bit code in 32-bit Windows processes, effectively bypassing custom hooks. The latter method has recently been used by another malware, HijackLoader.
TimbreStealer includes several built-in modules for orchestrating, decrypting, and protecting the underlying binary code. The malware performs a series of checks to make sure that it is not running in a virtualization environment, and that the time zone corresponds to the Latin American region.
The main purpose of the malware is to collect a wide range of data, including account information from various folders, system metadata, visited URLs, search for files with certain extensions, and check for remote access programs. Special attention is paid to the fact that TimbreStealer is aimed at a variety of industries, including the manufacturing and transportation sectors.
Recently, experts from Palo Alto Networks Unit 42 identified attacks on users in Mexico, carried out using the Mispadu Trojan, aimed at stealing bank data. The virus, first detected in 2019, spreads through phishing messages and exploits a vulnerability in Windows SmartScreen that was fixed in November 2023.
Cisco Talos reports that since the beginning of November 2023, Mexican users have been the target of a phishing campaign that spreads a new malware for Windows called TimbreStealer.
The phishing campaign uses decoy documents related to taxes. The operation uses sophisticated obfuscation techniques to bypass malware detection and resilience systems. In addition, the campaign uses geofiltration, which allows you to target only users from Mexico. When trying to access malicious sites from other regions, users receive a harmless blank PDF document instead of a malicious file.
Notable tricks include the use of custom loaders and direct system calls to bypass API monitoring, as well as Heaven's Gate, a tool that allows malware to bypass endpoint security by calling 64-bit code in 32-bit Windows processes, effectively bypassing custom hooks. The latter method has recently been used by another malware, HijackLoader.
TimbreStealer includes several built-in modules for orchestrating, decrypting, and protecting the underlying binary code. The malware performs a series of checks to make sure that it is not running in a virtualization environment, and that the time zone corresponds to the Latin American region.
The main purpose of the malware is to collect a wide range of data, including account information from various folders, system metadata, visited URLs, search for files with certain extensions, and check for remote access programs. Special attention is paid to the fact that TimbreStealer is aimed at a variety of industries, including the manufacturing and transportation sectors.
Recently, experts from Palo Alto Networks Unit 42 identified attacks on users in Mexico, carried out using the Mispadu Trojan, aimed at stealing bank data. The virus, first detected in 2019, spreads through phishing messages and exploits a vulnerability in Windows SmartScreen that was fixed in November 2023.
