A new phishing campaign he focused his attention on the southern part of the American continent (the so-called Latin America) to deliver malicious payloads to Windows systems.
What does this Phishing campaign in Latin America consist of?
“The phishing email contained a ZIP file attachment which, when extracted, reveals an HTML file that leads to a malicious file download, disguised as an invoice“, has said Trustwave SpiderLabs researcher Karla Agregado.
According to the company, the email message comes from an email address that uses the “temporary[.]link” e has Roundcube Webmail listed as User-Agent string.
The HTML file contains a link (“facturasmex[.]cloud”) which displays an error message saying “This Account Has Been Suspended“, but when visited from an IP address geolocated in Mexico, loads a CAPTCHA verification page that uses Cloudflare Turnstile.
This step paves the way for a redirect to another domain from which a malicious RAR file is downloaded; the RAR archive comes with a PowerShell script that collects system metadata and checks the compromised computer for antivirus software, so that the device does not defend itself from the phishing attack.
It also embeds several Base64 encoded strings designed to run PHP scripts to determine the user's country and recover a ZIP file from Dropbox containing “many highly suspicious files.”
Trustwave said the campaign bears similarities to its malware campaigns Horabot that targeted users of Spanish in Latin America in the past.
“Understandably, from the cybercriminals' perspective, Phishing campaigns always try different approaches to hide any malicious activity and avoid immediate detection“, said Karla Agregado who then added that “using newly created domains and making them accessible only in specific countries is another evasion technique, especially if the domain behaves differently depending on the target country“.
The development comes as Malwarebytes revealed a malvertising campaign targeting Microsoft Bing search users with fake ads for NordVPN leading to the distribution of a remote access trojan which corresponds to the name of SectopRAT (also known as ArechClient) hosted on Dropbox via a fake website (“besthord-vpn[.]com”).
“Malvertising continues to show how easy it is to clandestinely install malware in the guise of popular software downloads“, has said security researcher Jérôme Segura, adding that “Cybercriminals are able to quickly and easily deploy infrastructure to bypass many content filters“.
It also follows the discovery of a fake Java Access Bridge installer which serves as a conduit to distribute the open-source cryptocurrency miner XMRig, according to SonicWall.
The network security firm said it also discovered a malware based on Golang which “uses multiple geographic controls e publicly available packages to take a screenshot of the system before installing a ROOT certificate in the Windows registry for HTTPS communications with the [server di comando e controllo]“.
Phishing, not really a real attack
These cases happen (mostly) to people who are inexperienced in navigation, unfortunately many people are used to downloading anything without often checking the source from which it comes.
This case concerns especially Windows users, unfortunately very often the average Windows user it is far from a top; many users then (wrongly), they deactivate Windows Defender considering it a bad antivirus, when the reality is very different.
In these cases there are no updates or patches that workit would be necessary not so much to know how to use a computer decently, how much to understand what you do when you surf the internetbecause practices such as phishing they are specifically aimed at inexperienced users.
#Phishing #hacking #campaign #targets #Latin #America
