A new phishing campaign has targeted the southern region of the American continent (so-called Latin America) to deliver malicious payloads to Windows systems.
What does this Phishing campaign in Latin America consist of? Phishing, not really a real attack
What does this Phishing campaign in Latin America consist of?
“The phishing email contained a ZIP file attachment that, when extracted, reveals an HTML file leading to a malicious file download, masquerading as an invoice,” said Trustwave SpiderLabs researcher Karla Agregado.
According to the company, the email message comes from an email address that uses the “temporary(.)link” domain and has Roundcube Webmail listed as the User-Agent string.
The HTML file contains a link (“facturasmex(.)cloud”) that displays an error message saying “this account has been suspended,” but when visited from an IP address geolocated in Mexico, loads a CAPTCHA verification page that uses Cloudflare Turnstile.
This step paves the way for a redirect to another domain from which a malicious RAR file is downloaded; the RAR archive is supplied with a PowerShell script that collects system metadata and checks the compromised computer for antivirus software, so that the device does not defend itself from a phishing attack.
“Phishing” is a word very similar to “fishing” which means “to fish”, this imaginative representation serves to say that this practice is “fishing for personal data”
It also embeds several Base64-encoded strings designed to execute PHP scripts to determine the user's country and recover a ZIP file from Dropbox containing “many highly suspicious files.”
Trustwave said the campaign bears similarities to Horabot malware campaigns that have targeted Spanish-speaking users in Latin America in the past.
“Understandably, from the cybercriminals' point of view, phishing campaigns always look for different approaches to hide any malicious activity and avoid immediate detection,” said Karla Agregado who then added that “the use of newly created domains and Making them accessible only in specific countries is another evasion technique, especially if the domain behaves differently depending on the target country.”
The development comes as Malwarebytes revealed a malvertising campaign targeting Microsoft Bing search users with fake ads for NordVPN leading to the distribution of a remote access trojan going by the name of SectopRAT (also known as ArechClient) hosted on Dropbox via a fake website (“besthord-vpn(.)com”).
“Malvertising continues to show how easy it is to clandestinely install malware in the guise of popular software downloads,” said security researcher Jérôme Segura, adding that “cybercriminals are able to quickly and easily deploy infrastructures to evade many content filters.”
It also follows the discovery of a fake Java Access Bridge installer that serves as a conduit to distribute the open-source cryptocurrency miner XMRig, according to SonicWall.
The network security firm said it also discovered Golang-based malware that “uses multiple geo-checks and publicly available packets to take a screenshot of the system before installing a ROOT certificate in the Windows registry for HTTPS communications with the (command and control server)“.
Phishing, not really a real attack
These cases happen (especially) to people who are inexperienced in browsing, unfortunately many people are used to downloading anything without often checking the source from which it comes.
This case particularly concerns Windows users, unfortunately very often the average Windows user is far from being a top user; many users then (wrongly) deactivate Windows Defender considering it a terrible antivirus, when the reality is very different.
In these cases there are no updates or patches that are relevant, it would be necessary not so much to know how to use a computer in a decent way, but rather to understand what you do when you surf the internet, because practices such as phishing are aimed at inexperienced users.