In Mexico and Chile, a cybercrime group known as Fenix has been conducting targeted attacks on tax-paying individuals to breach networks and steal valuable data. The group’s modus operandi involves cloning the official portals of the tax authorities in both countries and directing potential victims to these fake websites.
Users are prompted to download a supposed security tool that, unbeknownst to them, actually installs malware, enabling the theft of sensitive information, including credentials.
Fenix’s primary objective, according to a Latin America-focused cybersecurity firm, is to act as an initial access broker, gaining entry into various companies in the region, and then selling this access to ransomware affiliates for further exploitation. Evidence suggests that the group has been orchestrating phishing campaigns, coinciding with government activities since at least the fourth quarter of 2022.
The mechanics of the attack involve enticing visitors to the impersonated websites to download software claiming to enhance portal navigation safety or directing them to phishing sites disguised as legitimate apps like AnyDesk. However, the downloaded ZIP file serves as a springboard for an infection sequence that activates an obfuscated PowerShell script, running a .NET binary and displaying a message “Ahora se encuentra protegido” (meaning “Now you are protected” in Spanish) to maintain the deception.
Subsequently, the .NET executable establishes persistence on the compromised host, deploying a botnet malware that can execute commands from a remote server. This malware also exfiltrates credentials stored in web browsers and crypto wallets before deleting itself. The researchers warn that new malicious groups like Fenix are emerging in Latin America to provide initial access to ransomware gangs, and they possess technical expertise that makes them challenging to track and eradicate. As such, anticipating their actions becomes essential in combating such cyber threats.
