A brand new phishing marketing campaign has set its eyes on the Latin American area to ship malicious payloads to Windows methods.
“The phishing electronic mail contained a ZIP file attachment that when extracted reveals an HTML file that results in a malicious file obtain posing as an bill,” Trustwave SpiderLabs researcher Karla Agregado stated.
The electronic mail message, the corporate stated, originates from an electronic mail handle format that makes use of the area “short-term[.]hyperlink” and has Roundcube Webmail listed because the User-Agent string.
The HTML file factors containing a hyperlink (“facturasmex[.]cloud”) that shows an error message saying “this account has been suspended,” however when visited from an IP handle geolocated to Mexico, masses a CAPTCHA verification web page that makes use of Cloudflare Turnstile.
This step paves the way in which for a redirect to a different area from the place a malicious RAR file is downloaded. The RAR archive comes with a PowerShell script that gathers system metadata in addition to checks for the presence of antivirus software program within the compromised machine.
It additionally incorporates a number of Base64-encoded strings which are designed to run PHP scripts to find out the person’s nation and retrieve a ZIP file from Dropbox containing “many extremely suspicious information.”
Trustwave stated the marketing campaign reveals similarities with that of Horabot malware campaigns which have focused Spanish-speaking customers in Latin America up to now.
“Understandably, from the risk actors’ standpoint, phishing campaigns at all times attempt totally different [approaches] to cover any malicious exercise and keep away from rapid detection,” Agregado stated.
“Using newly created domains and making them accessible solely in particular international locations is one other evasion method. particularly if the area behaves otherwise relying on their goal nation.”
The growth comes as Malwarebytes revealed a malvertising marketing campaign concentrating on Microsoft Bing search customers with bogus advertisements for NordVPN that result in the distribution of a distant entry trojan known as SectopRAT (aka ArechClient) hosted on Dropbox by way of a phony web site (“besthord-vpn[.]com”).
“Malvertising continues to indicate how simple it’s to surreptitiously set up malware below the guise of common software program downloads,” safety researcher Jérôme Segura stated. “Threat actors are in a position to roll out infrastructure shortly and simply to bypass many content material filters.”
It additionally follows the invention of a faux Java Access Bridge installer that serves as a conduit to deploy the open-source XMRig cryptocurrency miner, per SonicWall.
The community safety firm stated it additionally found a Golang malware that “makes use of a number of geographic checks and publicly accessible packages to screenshot the system earlier than putting in a root certificates to the Windows registry for HTTPS communications to the [command-and-control server].”