A recent phishing campaign has aimed its sights on Latin America, specifically targeting Windows systems with malicious payloads. The phishing email includes a ZIP file attachment that, when extracted, reveals an HTML file. This file leads to a malicious file download disguised as an invoice.
The email originates from an address format using the domain “temporary[.]link,” with Roundcube Webmail listed as the User-Agent string. The HTML file contains a link (“facturasmex[.]cloud”) that, when accessed from a Mexican IP address, loads a CAPTCHA verification page using Cloudflare Turnstile, followed by a redirect to another domain for a malicious RAR file download.
The RAR archive includes a PowerShell script that gathers system metadata and checks for antivirus software presence. Additionally, it contains Base64-encoded strings to run PHP scripts, determining the user’s country and retrieving a ZIP file from Dropbox containing numerous suspicious files.
There is similarities between this campaign and previous Horabot malware campaigns targeting Spanish-speaking users in Latin America. The threat actors continuously evolve their tactics to avoid detection, including using newly created domains accessible only in specific countries.
In recent months, social engineering attacks have expanded beyond email-based phishing to include direct messages on platforms like Facebook and LinkedIn. These aim to trick users into downloading malware or redirecting them to credential harvesting pages.
The malvertising can install malware disguised as popular software downloads, highlighting the ability of threat actors to bypass content filters.
The discovery of a fake Java Access Bridge installer that deploys the XMRig cryptocurrency miner and a Golang malware that installs a root certificate for HTTPS communications to a command-and-control server further underscore the evolving threat landscape.
To prevent falling victim to phishing schemes, it’s crucial to be cautious of unexpected emails, especially those with attachments or links. Verify the sender’s email address and look for any red flags, such as spelling errors or urgent language. Ensure your computer’s antivirus software is up to date and consider using a phishing filter on your email client.