Infosec Watchtower Logo

New Phishing Offensive Targets Latin America, Unleashing Malware and Exploiting Geographic Vulnerabilities

Charles M. Walls | April 8, 2024 | Views: 208

A sophisticated digital world map focused on Latin America, illustrating a phishing attack. The map shows digital connections and data streams.

A new phishing scheme is targeting Windows users across Latin America, delivering a particularly nasty payload. According to Trustwave SpiderLabs' researcher Karla Agregado, the malicious campaign starts with a phishing email that includes a ZIP file. Once opened, this file unveils an HTML document that tricks users into downloading what appears to be an invoice.

The deceptive email originates from a domain named "temporary[.]link" and masquerades as being sent via Roundcube Webmail. The HTML attachment contains a link to "facturasmex[.]cloud" which initially shows a suspension error. However, for users accessing from Mexican IP addresses, it cleverly redirects to a CAPTCHA verification page managed by Cloudflare Turnstile, eventually leading to the download of a malicious RAR file.

This RAR file is no ordinary archive—it contains a PowerShell script designed to scrape system metadata and check for antivirus programs on the victim's computer. It also uses encoded Base64 strings that trigger PHP scripts to identify the user's location and fetch another ZIP file full of dubious files from Dropbox.

This technique of camouflaging malicious intent is not new and shares characteristics with previous malware campaigns targeting Spanish-speaking users, notably the Horabot malware. "Phishers continuously innovate on methods to mask their activities and avoid detection," Agregado remarked, highlighting the use of new domains that behave differently based on the visitor's geographic location as a key strategy for evading capture.

The situation escalates with another concerning revelation from Malwarebytes, which uncovered a malvertising campaign exploiting Microsoft Bing. This campaign lures users with fake ads for NordVPN, redirecting them to download a remote access trojan named SectopRAT from a bogus site ("besthord-vpn[.]com"), also hosted on Dropbox.

"Malvertising illustrates the ease with which malware can be installed discreetly under the pretense of legitimate software downloads," explained security expert Jérôme Segura. He notes that threat actors deploy extensive infrastructure swiftly to evade digital content filters.

Moreover, the discovery of a fraudulent Java Access Bridge installer, which deploys the XMRig cryptocurrency miner, and a Golang malware that manipulates multiple geographic checks and public packages to snapshot the system and tamper with HTTPS communications via the Windows registry, were also reported by SonicWall. These findings underscore the sophisticated and evolving nature of cyber threats that continue to challenge cybersecurity defenses worldwide.

Source of Inspiration