Mexicos Timbre Stealer Campaign Targets Manufacturing

  /     /     /  
Publicated : 23/11/2024   Category : security


Mexicos Timbre Stealer Campaign Targets Manufacturing


A new infostealer spreading to organizations across Mexico heralds 2024s fresh season of tax-themed phishing attacks.



Cybercriminals are spreading a new infostealer across Mexico by catching targets with tax season-related phishing lures — focusing on organizations rather than consumers.
The campaign observed by Cisco Talos
goes back to November, when the first samples of Timbre Stealer, a new unfocused but wide-ranging infostealer, first began spreading to targets via malicious emails. In the time since, it has spread to organizations across varied industries, most of all to manufacturing and transportation.
More recently, the threat actors have honed their phishing message using Mexicos tax season — the timing of which broadly overlaps with the USs — to catch their corporate targets off-guard and perpetuate the further spread of Timbre Stealer.
Upon execution, Timbre Stealer first determines if its newly infected machine is of interest. Specifically, it checks that the system language is not Russian (perhaps a hint at the threat actor behind this campaign) and that its time zone is aligned with Latin America.
Next, it double-checks that the system hasnt been previously infected and that its not running in a sandbox environment. Other stealth mechanisms include its use of custom loaders, direct system calls that bypass standard API monitoring, and restricting access to its infrastructure only to users in a specific geographic region.
We commonly see actors implement anti-analysis techniques; this is that on steroids, says Guilherme Venere, threat researcher for Cisco Talos. The authors behind this threat do not just implement anti-analysis; they implement as many anti-analysis capabilities as they can, which increases the difficulty on the researcher to take it apart as well as for technology to detect it.
Once firmly planted, Timbre Stealer propagates through the victim, beginning its job collecting a vast spread of diverse data.
It uses the Windows Management Instrumentation (WMI) interface and registry keys to collect information from the operating system. It also scans a number of fundamental directories, like the Desktop, Documents, and Downloads folders, for purposes that arent entirely clear.
Certain strings in its code suggest that it scans files and directories for information relating to apps such as Microsoft Office and OneDrive, Windows Media Player, various browsers (Firefox, Microsoft Edge, Internet Explorer, and Chrome), Dropbox, Avast, AMD, Brother, HP, Intel, and more. 
Its also interested in certain URLs relating to popular websites — Google.com, Wikipedia.org, Facebook.com, and the like — which Talos researchers speculated may have to do with network sniffing capabilities.
Like holiday-season shopping, tax deadlines reliably provide fertile ground for financially motivated cyberattackers.
As Venere explains, Every year we see actors taking advantage of current affairs, and tax season is one of the biggest. It unfortunately checks a lot of boxes for criminals as it involves large sums of money,
valuable personally identifiable information (PII)
, and is something that every adult has to deal with. When you combine them, it is a perfect storm for criminals looking to make money.
Taxes are also complicated, boring, and stressful — factors that might make victims less discerning about what they click on.
In this latest campaign, for example, besides generic invoices, the attackers designed a lure around Comprobante Fiscal Digital por Internet (CDFI) (in English: online fiscal digital invoice), Mexicos mandatory electronic invoice standard used for tax reporting. When disinterested and unwitting targets follow the malicious link, theyre led to download Timbre Stealer.
Besides a general defense-in-depth approach to cybersecurity, Venere recommends that around this time of year organizations should be giving
user training about the prevalence of tax-based spam
, with a focus on those areas most likely to be impacted, like finance.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Mexicos Timbre Stealer Campaign Targets Manufacturing