Skip to content Skip to footer

Tax-themed Phishing Campaign Targets Mexican Users with TimbreStealer Malware

According to , a previously undocumented Windows called TimbreStealer has been used in a campaign that targets Mexican users and has been active since at least November 2023. The campaign uses tax-themed lures and employs advanced obfuscation techniques to bypass detection and ensure persistence. The campaign also utilizes geofencing to target users in Mexico, returning a harmless PDF file instead of a malicious one if payload sites are contacted from other locations.

The behind the campaign is described as skilled. He used similar tactics to distribute a banking trojan known as Mispadu in September 2023. The campaign utilizes custom loaders and direct system calls to bypass conventional API monitoring and also leverages Heaven's Gate to execute 64-bit code within a 32-bit process. The has several embedded modules for orchestration, decryption, and protection of the leading binary. It runs a series of checks to determine if it's running a sandbox environment, if the system language is not , and if the timezone is within a Latin American region.

The orchestrator module also checks for files and registry keys to ensure the machine hasn't been previously infected before launching a payload installer component that displays a benign decoy file to the user, ultimately triggering the execution of TimbreStealer's primary payload. The payload is designed to harvest a wide range of data, including credential information from different folders, system metadata, URLs accessed, and files matching specific extensions while verifying remote desktop software's presence.

TimbreStealer's target industries are varied, focusing on the manufacturing and transportation sectors. identified overlaps with a Mispadu spam campaign observed in September 2023. However, it's worth noting that this disclosure comes amid the emergence of a new version of another information stealer called Atomic (aka AMOS), which is capable of gathering data from Apple macOS systems, including local user account passwords, credentials from Mozilla and Chromium-based browsers, crypto wallet information, and files of interest, using an unusual combination of Python and Apple Script code.

The new variant of Atomic drops uses a Python script to stay covert. At the same time, the Apple Script block for collecting sensitive files from the victim's computer exhibits a “significantly high level of similarity” with the RustDoor backdoor. New stealer malware families like XSSLite continue to emerge, even as existing strains such as Agent Tesla and Pony (aka Fareit or Siplog) continue to be used for information theft and subsequent sale on stealer logs marketplaces like Exodus.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

I have photographic memory! It's a curse!Nikon

Deitasoft © 2024. All Rights Reserved.