Cybercriminals are spreading a new infostealer across Mexico by capturing targets with tax season-related phishing lures, focusing on organizations rather than consumers.
The campaign observed by Cisco Talos dates back to November, when the first samples of “Timbre Stealer,” a new unfocused but wide-ranging infostealer, began spreading among targets via malicious emails. Since then, it has spread to organizations in various sectors, especially manufacturing and transportation.
More recently, threat actors have refined their phishing message by leveraging the Mexican tax season, the timing of which largely overlaps with that of the United States, to catch their business targets by surprise and perpetuate the further spread of Timbre Stealer.
A breakdown of Timbre Stealer
Upon execution, Timbre Stealer first determines whether the newly infected machine is interesting. Specifically, check that the system language is not Russian (perhaps a clue to the threat actor behind this campaign) and that its time zone is aligned with Latin America.
Next, double-check that your system has not been previously infected and that it is not running in a sandbox environment. Other stealth mechanisms include the use of custom loaders, direct system calls that bypass standard API tracking, and limiting access to its infrastructure only to users in a specific geographic region.
“We commonly see actors implementing anti-analysis techniques; that’s what they’re on steroids for,” says Guilherme Venere, threat researcher for Cisco Talos. “The authors behind this threat don’t just implement anti-analysis; they implement as many anti-analysis features as possible, which increases the difficulty for the researcher to dismantle it and for the technology to detect it.”
Once firmly established, Timbre Stealer propagates through the victim, beginning its work by collecting a wide range of different data.
It uses the Windows Management Instrumentation (WMI) interface and registry keys to collect information from the operating system. It also scans a number of key directories, such as the Desktop, Documents, and Downloads folders, for unclear purposes.
Some strings in its code suggest that it scans files and directories for information related to apps such as Microsoft Office and OneDrive, Windows Media Player, various browsers (Firefox, Microsoft Edge, Internet Explorer and Chrome), Dropbox, Avast, AMD , Brother , HP, Intel and more.
He is also interested in some URLs related to popular websites – Google.com, Wikipedia.org, Facebook.com and the like – which Talos researchers speculated might have something to do with the network’s sniffing capabilities.
Beware of tax season scams
Like holiday shopping, tax deadlines reliably provide fertile ground for financially motivated hackers.
As Venus explains, “Every year we see actors taking advantage of current events, and tax season is one of the biggest. Unfortunately, it checks a lot of boxes for criminals as it involves large sums of money, valuable personally identifiable information (PII), and it’s something every adult has to deal with. When you put them together, it’s a perfect storm for criminals looking to make money.”
Taxes are also complicated, tedious, and stressful, factors that could make victims less discerning about what they click on.
In this latest campaign, for example, in addition to generic invoices, the attackers designed a decoy around “Comprobante Fiscal Digital por Internet” (CDFI) (in English: online fiscal digital invoice), the mandatory electronic invoice standard of the Mexico used for tax reporting. When uninterested and unaware targets follow the malicious link, they are led to download Timbre Stealer.
In addition to an overall defense-in-depth approach to cybersecurity, Venus recommends that at this time of year, “organizations should give training users on the prevalence of tax spamwith particular attention to the areas most likely to be impacted, such as finance.”