A brand new phishing marketing campaign has set its eyes on the Latin American area to ship malicious payloads to Home windows programs.
“The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice,” Trustwave SpiderLabs researcher Karla Agregado mentioned.
The e-mail message, the corporate mentioned, originates from an e mail deal with format that makes use of the area “temporary[.]link” and has Roundcube Webmail listed because the Person-Agent string.
The HTML file factors containing a hyperlink (“facturasmex[.]cloud”) that shows an error message saying “this account has been suspended,” however when visited from an IP deal with geolocated to Mexico, hundreds a CAPTCHA verification web page that makes use of Cloudflare Turnstile.
This step paves the best way for a redirect to a different area from the place a malicious RAR file is downloaded. The RAR archive comes with a PowerShell script that gathers system metadata in addition to checks for the presence of antivirus software program within the compromised machine.
It additionally incorporates a number of Base64-encoded strings which are designed to run PHP scripts to find out the person’s nation and retrieve a ZIP file from Dropbox containing “many highly suspicious files.”
Trustwave mentioned the marketing campaign displays similarities with that of Horabot malware campaigns which have focused Spanish-speaking customers in Latin America previously.
“Understandably, from the threat actors’ point of view, phishing campaigns always try different [approaches] to hide any malicious activity and avoid immediate detection,” Agregado mentioned.
“Using newly created domains and making them accessible only in specific countries is another evasion technique. especially if the domain behaves differently depending on their target country.”
The event comes as Malwarebytes revealed a malvertising marketing campaign concentrating on Microsoft Bing search customers with bogus advertisements for NordVPN that result in the distribution of a distant entry trojan referred to as SectopRAT (aka ArechClient) hosted on Dropbox through a phony web site (“besthord-vpn[.]com”).
“Malvertising continues to show how easy it is to surreptitiously install malware under the guise of popular software downloads,” safety researcher Jérôme Segura mentioned. “Threat actors are able to roll out infrastructure quickly and easily to bypass many content filters.”
It additionally follows the invention of a pretend Java Entry Bridge installer that serves as a conduit to deploy the open-source XMRig cryptocurrency miner, per SonicWall.
The community safety firm mentioned it additionally found a Golang malware that “uses multiple geographic checks and publicly available packages to screenshot the system before installing a root certificate to the Windows registry for HTTPS communications to the [command-and-control server].”
