A new phishing campaign has set its eyes on the Latin American region to deliver malicious payloads to Windows systems.
“The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice,” Trustwave SpiderLabs researcher Karla Agregado said.
The email message, the company said, originates from an email address format that uses the domain “temporary[.]link” and has Roundcube Webmail listed as the User-Agent string.
The HTML file points containing a link (“facturasmex[.]cloud”) that displays an error message saying “this account has been suspended,” but when visited from an IP address geolocated to Mexico, loads a CAPTCHA verification page that uses Cloudflare Turnstile.
This step paves the way for a redirect to another domain from where a malicious RAR file is downloaded. The RAR archive comes with a PowerShell script that gathers system metadata as well as checks for the presence of antivirus software in the compromised machine.
It also incorporates several Base64-encoded strings that are designed to run PHP scripts to determine the user’s country and retrieve a ZIP file from Dropbox containing “many highly suspicious files.”
Trustwave said the campaign exhibits similarities with that of Horabot malware campaigns that have targeted Spanish-speaking users in Latin America in the past.
“Understandably, from the threat actors’ point of view, phishing campaigns always try different [approaches] to hide any malicious activity and avoid immediate detection,” Agregado said.
“Using newly created domains and making them accessible only in specific countries is another evasion technique. especially if the domain behaves differently depending on their target country.”
The development comes as Malwarebytes revealed a malvertising campaign targeting Microsoft Bing search users with bogus ads for NordVPN that lead to the distribution of a remote access trojan called SectopRAT (aka ArechClient) hosted on Dropbox via a phony website (“besthord-vpn[.]com”).
“Malvertising continues to show how easy it is to surreptitiously install malware under the guise of popular software downloads,” security researcher Jérôme Segura said. “Threat actors are able to roll out infrastructure quickly and easily to bypass many content filters.”
It also follows the discovery of a fake Java Access Bridge installer that serves as a conduit to deploy the open-source XMRig cryptocurrency miner, per SonicWall.
The network security company said it also discovered a Golang malware that “uses multiple geographic checks and publicly available packages to screenshot the system before installing a root certificate to the Windows registry for HTTPS communications to the [command-and-control server].”