A new phishing campaign targeting Mexican citizens with financial lures has been discovered by Cisco Talos.
Using Mexican tax-related lures, the spam emails distribute a new obfuscated information stealer that Cisco Talos called “TimbreStealer.”
In this new campaign, which has been active since November 2023, the threat actor directs users to a compromised website where the TimbreStealer payload is hosted and tricks them into executing the malicious application.
A Skilled Threat Actor Behind TimbreStealer
The current spam run was observed to mainly use Mexico's digital tax receipt standard called Comprobante Fiscal Digital por Internet (CDFI), according to the findings published on February 28, 2024
The phishing campaign uses geofencing techniques to target only users in Mexico, and any attempt to contact the payload sites from other locations will return a blank PDF file instead of the malicious file.
Talos researchers observed a sophisticated array of techniques in TimbreStealer’s code to circumvent detection, engage in stealthy execution and ensure its persistence within compromised systems.
These are contained in the malware’s embedded modules, which Talos researchers found to be structured in three layers.
No tags.
