Tax Evader in Mexico Faces Data Loss Penalty

29 Feb 2024 3:18 pm GMT+0000 Date Time

Mexican Users Targeted by Timbrestealer Malware Campaign
Cisco Talos reports that Mexican users have become the target of a new Windows malware campaign known as Timbrestealer. The phishing campaign utilizes documents related to taxes to distribute the malware. The operation employs sophisticated evasion techniques to bypass system detection and ensure the longevity of the malicious software. Geofiltration is also used to specifically target users in Mexico. Users from other regions attempting to access malicious sites are redirected to harmless empty PDF documents. Noteworthy tactics include the use of customizers, direct system calls to bypass API monitoring, and Heaven’s Gate, a tool that evades endpoint security tools by executing 64-bit code in 32-bit Windows processes, bypassing user hooks. This technique was previously utilized by another malware, Hijackloader. Timbrestealer contains built-in modules for coordination, decryption, and protection of the core binary code. The malware conducts checks to ensure it is not running in a virtualized environment and that the time zone matches Latin America. The primary objective of the malware is to gather a wide range of data, including account information, metadata from visited URLs, files with specific extensions, and remote access program availability. Timbrestealer targets various industries, including production and transportation sectors. Recently, Palo Alto Networks Unit 42 experts identified attacks on Mexican users involving the Mispadu trojan designed to steal banking data. The trojan, discovered in 2019, spreads through phishing messages and exploits a Windows Smartscreen vulnerability that was patched in November 2023.

Mexican Users Targeted by Timbrestealer Malware Campaign

Cisco Talos reports that Mexican users have become the target of a new Windows malware campaign known as Timbrestealer. The phishing campaign utilizes documents related to taxes to distribute the malware.

The operation employs sophisticated evasion techniques to bypass system detection and ensure the longevity of the malicious software. Geofiltration is also used to specifically target users in Mexico. Users from other regions attempting to access malicious sites are redirected to harmless empty PDF documents.

Noteworthy tactics include the use of customizers, direct system calls to bypass API monitoring, and Heaven’s Gate, a tool that evades endpoint security tools by executing 64-bit code in 32-bit Windows processes, bypassing user hooks. This technique was previously utilized by another malware, Hijackloader.

Timbrestealer contains built-in modules for coordination, decryption, and protection of the core binary code. The malware conducts checks to ensure it is not running in a virtualized environment and that the time zone matches Latin America.

The primary objective of the malware is to gather a wide range of data, including account information, metadata from visited URLs, files with specific extensions, and remote access program availability. Timbrestealer targets various industries, including production and transportation sectors.

Recently, Palo Alto Networks Unit 42 experts identified attacks on Mexican users involving the Mispadu trojan designed to steal banking data. The trojan, discovered in 2019, spreads through phishing messages and exploits a Windows Smartscreen vulnerability that was patched in November 2023.

/Reports, release notes, official announcements.