There were Mexican users targeted from real tax-themed “baits” (i.e. phishing). since at least November 2023 to distribute previously undocumented Windows malware called TimbreStealer.
What is known about TimbreStealer and how it works
Cisco Talos, which has discovery activity, described the perpetrators as skilled and that, whoever they are, they have previously used tactics, techniques and procedures (TTPs) similar to those typically used to distribute a banking Trojan, especially the banking malware known as Mispadu in September 2023.
In addition to using sophisticated obfuscation techniques to evade detection and ensure persistence, the phishing campaign uses geofencing to locate users in Mexicoreturning a harmless empty PDF file instead of the malicious one if the distribution sites are contacted from other locations.
Some of the notable evasive maneuvers include the use of custom loaders and direct system calls to evade conventional API monitoring, as well as using Heaven's Gate to execute 64-bit code within a 32-bit process, an approach recently also adopted by HijackLoader.
The malware comes with several built-in modules for staging, decryption and protection of the main binary, while it also runs a series of checks to determine if it is running in a sandbox environment, if the system language is not Russian and if the time zone is within a Latin American region.
The orchestrator module also searches files and registry keys to verify that the machine has not been previously infected, before launching a payload installer component that displays a benign decoy file to the user, ultimately triggering execution of the main TimbreStealer payload.
The payload is designed to collect a wide range of data, including credential information from different folders, system metadata and URLs visited, look for files with specific extensions and check for remote desktop software.
Cisco Talos said it identified overlaps with a Mispadu spam campaign observed in September 2023, although TimbreStealer's target sectors are varied and focus on the manufacturing and transport sectors.
It's not just Windows, however, that's being hit by this money-stealing malware, so much so that it was disclosed that the malware attack comes amid the emergence of a new version of another information stealer called Atomic (also known as AMOS), capable of collecting data from Apple macOS systems such as local user account passwordscredentials from Mozilla Firefox and Chromium-based browsers (basically, the most used browsers), crypto wallet information, and files of interest, using an unusual combination of Python code and Apple Script.
“There new variant releases and uses a Python script to stay stealthy“, has declared Bitdefender researcher Andrei Lapusneanu, pointing out that the Apple Script block to collect sensitive files from the victim's computer shows a “significantly high level of similarity” with the RustDoor backdoor.
It also follows the emergence of new families of stealer malware such as XSSLite, released as part of a malware development competition hosted by the XSS forum, while existing strains such as Agent Tesla and Pony (also known as Fareit or Siplog) continued to be used for the theft of information and subsequent sale on log stealer marketplaces such as Exodus.
#TimbreStealer #malware #targeting #Mexican #users
