Mexican customers have been focused with tax-themed phishing lures at the very least since November 2023 to distribute a beforehand undocumented Home windows malware referred to as TimbreStealer.
Cisco Talos, which found the exercise, described the authors as expert and that the “menace actor has beforehand used comparable ways, strategies and procedures (TTPs) to distribute a banking trojan referred to as Mispadu in September 2023.
Apart from using subtle obfuscation strategies to sidestep detection and guarantee persistence, the phishing marketing campaign makes use of geofencing to single out customers in Mexico, returning an innocuous clean PDF file as an alternative of the malicious one if the payload websites are contacted from different places.
Among the notable evasive maneuvers embody leveraging customized loaders and direct system calls to bypass standard API monitoring, along with using Heaven’s Gate to execute 64-bit code inside a 32-bit course of, an method that was additionally lately adopted by HijackLoader.
The malware comes with a number of embedded modules for orchestration, decryption, and safety of the principle binary, whereas additionally operating a sequence of checks to find out if it is operating a sandbox surroundings, the system language will not be Russian, and the timezone is inside a Latin American area.
The orchestrator module additionally appears to be like for information and registry keys to double-check that the machine hasn’t been beforehand contaminated, earlier than launching a payload installer element that shows a benign decoy file to the person, because it in the end triggers the execution of TimbreStealer’s main payload.
The payload is designed to reap a variety of information, together with credential data from totally different folders, system metadata, and the URLs accessed, search for information matching particular extensions, and confirm the presence of distant desktop software program.
Cisco Talos mentioned it recognized overlaps with a Mispadu spam marketing campaign noticed in September 2023, though the goal industries of TimbreStealer are various and with a concentrate on manufacturing and transportation sectors.
The disclosure comes amid the emergence of a brand new model of one other data stealer referred to as Atomic (aka AMOS), which is able to gathering knowledge from Apple macOS programs reminiscent of native person account passwords, credentials from Mozilla Firefox and Chromium-based browsers, crypto pockets data, and information of curiosity, utilizing an uncommon mixture of Python and Apple Script code.
“The brand new variant drops and makes use of a Python script to remain covert,” Bitdefender researcher Andrei Lapusneanu mentioned, noting the Apple Script block for accumulating delicate information from the sufferer’s laptop displays a “considerably excessive stage of similarity” with the RustDoor backdoor.
It additionally follows the emergence of recent stealer malware households reminiscent of XSSLite, which was launched as a part of a malware growth competitors hosted by the XSS discussion board, whilst present strains like Agent Tesla and Pony (aka Fareit or Siplog) continued for use for data theft and subsequent sale on stealer logs marketplaces like Exodus.
