Since as far back as November 2023, Mexican users have been the target of an intricately designed tax-themed scam email. This sophisticated scheme disseminates a type of Windows malware, previously unseen and now identified as TimbreStealer.
Cisco Talos detected the activity and noted the proficiency of the perpetrators, mentioning that the “threat actor has previously used similar tactics, techniques, and procedures (TTPs) to distribute a banking trojan known as Mispadu in September 2023.”
The phishing campaign is not only advanced in its techniques to evade detection and ensure its persistence but also highly targeted. It employs geofencing to specifically target users in Mexico, cleverly responding with a benign blank PDF file instead of the malicious payload if accessed from other locations.
Custom loaders and direct system calls are among the prevalent methods used to circumvent conventional API tracking. Another tactic involves leveraging Heaven’s Gate to execute 64-bit code within a 32-bit process, a technique recently adopted by HijackLoader as well.
The malware comprises various built-in modules designed for orchestration, decryption, and securing the main binary. It also performs checks to determine whether it’s within a sandbox environment if the system language is not Russian, and if the timezone corresponds to a Latin American area.
The orchestrator module conducts checks on files and registry keys to ascertain the absence of previous attacks before initiating a payload installer component. This component presents the user with a harmless fake file, triggering the execution of TimbreStealer’s primary payload.
The payload is designed to collect a wealth of information, ranging from credentials stored in various folders to system metadata and visited URLs. Furthermore, it conducts searches for files with specific extensions and validates the presence of remote desktop software.
According to Cisco Talos, similarities were identified with a Mispadu spam operation detected in September 2023. However, as emphasized by Cisco Talos’ analysis, TimbreStealer primarily targets the manufacturing and transportation sectors.
Simultaneously, the cybersecurity landscape sees the release of a new version of another information thief, Atomic (aka AMOS). This upgraded version has the ability to extract information from Apple macOS systems, including local user account passwords, credentials from Mozilla Firefox and Chromium-based browsers, crypto wallet information, and files of interest, using a unique blend of Python and Apple Script code.
Bitdefender researcher Andrei Lapusneanu said, “The new variant drops and uses a Python script to stay covert.” He further notes that the Apple Script block designed to retrieve sensitive files from the victim’s computer exhibits a “significantly high level of similarity” to the RustDoor backdoor.
Additionally, this development occurs in the wake of the introduction of new stealer malware families such as XSSLite, introduced as part of a competition hosted by the XSS forum to create innovative malware. Simultaneously, enduring strains like Agent Tesla and Pony (also recognized as Fareit or Siplog) persist in their usage, employed to steal information, subsequently sold on stealer logs markets like Exodus.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.