A new Windows malware named TimbreStealer has been discovered spreading through tax-themed phishing lures targeting IT users in Mexico since November 2023. The researcher, which identified the malware, noted that the threat actors behind it are skilled, having previously used similar tactics to distribute the Mispadu banking trojan in September 2023.
The phishing campaign utilizes sophisticated obfuscation techniques to evade detection and ensure persistence. It employs geofencing to target users in Mexico specifically, delivering a harmless blank PDF file to users outside the region. The malware also employs custom loaders and direct system calls to bypass conventional API monitoring, along with the use of Heaven’s Gate to execute 64-bit code within a 32-bit process.
TimbreStealer comes with several embedded modules for orchestration, decryption, and protection of the main binary. It checks for sandbox environments, system language, and timezone before launching its payload installer component, which displays a decoy file to the user while executing the primary payload.
While TimbreStealer’s target industries are varied, with a focus on manufacturing and transportation sectors, it bears similarities to the Mispadu spam campaign from September 2023. This discovery coincides with the emergence of a new version of the Atomic information stealer, capable of targeting Apple macOS systems, and the development of new malware families like XSSLite, highlighting the ongoing threat of information theft.
To prevent TimbreStealer infections, organizations should implement robust email security measures to detect and block phishing emails. Additionally, keeping software up to date, educating employees about phishing threats, and using strong, unique passwords can help mitigate the risk of malware infections.