A new phishing campaign has set its sights on the Latin America region to deliver malicious payloads to Windows systems.
“The phishing email contained an attached ZIP file that, when extracted, reveals an HTML file leading to a malicious file download passed off as an invoice,” said Karla Agregado, a researcher at Trustwave SpiderLabs.
The email message, the company said, comes from an email address format that uses the “temporary” domain[.]link” and has Roundcube Webmail listed as the User-Agent string.
The HTML file points containing a link (“facturasmex[.]cloud”) that displays an error message that says “this account has been suspended”, but when visited from an IP address geolocated in Mexico, it loads a CAPTCHA verification page that uses Cloudflare Turnstile.
This step paves the way for a redirect to another domain from where a malicious RAR file is downloaded. The RAR archive comes with a PowerShell script that collects system metadata and checks the compromised machine for antivirus software.
It also embeds several Base64-encoded strings designed to execute PHP scripts to determine the user’s country and recover a ZIP file from Dropbox containing “many highly suspicious files.”
Trustwave said the campaign bears similarities to Horabot malware campaigns that have targeted Spanish-speaking users in Latin America in the past.
“Understandably, from a threat actor’s perspective, phishing campaigns always try differently [approaches] to hide any malicious activity and avoid immediate detection,” Agregado said.
“Using newly created domains and making them accessible only in specific countries is another evasion technique, especially if the domain behaves differently depending on the destination country.”
The development comes as Malwarebytes revealed a malvertising campaign targeting Microsoft Bing search users with fake ads for NordVPN leading to the distribution of a remote access trojan called SectopRAT (aka ArechClient) hosted on Dropbox via a fake website (” besthord-vpn[.]com”).
“Malvertising continues to demonstrate how easy it is to surreptitiously install malware under the guise of popular software downloads,” said security researcher Jérôme Segura. “Threat actors are able to quickly and easily deploy infrastructure to bypass many content filters.”
It also follows the discovery of a fake Java Access Bridge installer that serves as a conduit to distribute the open source XMRig cryptocurrency miner, according to SonicWall.
The network security firm said it also discovered Golang malware that “uses multiple geo-checks and publicly available packets to take screenshots of the system before installing a root certificate in the Windows registry for HTTPS communications at [command-and-control server].”