Gecko Campaign | |
Type of Malware | Dropper |
Targeted Countries | Argentina |
Date of Initial Activity | 2024 |
Addittional Names | Gecko Assault |
Motivation | Financial Gain |
Type of Information Stolen | Financial Data |
Attack Vectors | Web Browsing |
Targeted Systems | Windows |
Overview
In August 2024, SCILabs unveiled a dangerous and sophisticated cyberattack campaign targeting users in Latin America, named Operation Gecko Assault. This operation primarily involves the distribution of malware families, including URSA/Mispadu and Mekotio, which are notorious for their ability to steal banking credentials and sensitive information. The campaign’s primary target appears to be Argentine users, as it leverages phishing emails that impersonate the Administración Federal de Ingresos Públicos (AFIP), Argentina’s national tax agency. By using this trusted institution as a lure, the attackers attempt to deceive individuals into downloading malicious files, placing sensitive data at risk.
Through a detailed investigation, SCILabs identified key tactics, techniques, and procedures (TTPs) used by the attackers in their malware distribution methods. While the exact distribution vector remains unclear, analysis points to phishing as the most likely approach, with malicious links and attachments designed to exploit vulnerabilities in compromised websites. The attackers’ use of legitimate domains, such as opticasdavid.com and hotelandino.com, which were likely taken over to distribute the malware, illustrates the growing sophistication of this campaign. As these domains have been identified as legitimate but compromised, the potential for further attacks across Latin America remains a serious concern.
Targets
Individuals
Information
How they operate
The attack begins with phishing emails, which are likely distributed under the guise of official communications from Argentina’s Administración Federal de Ingresos Públicos (AFIP). These emails contain links leading to compromised websites, including opticasdavid.com and hotelandino.com, both of which appear to have been legitimate domains hijacked by the attackers. Upon visiting these sites, victims are presented with a CAPTCHA challenge, which serves to evade automated detection by security software. Once the CAPTCHA is solved, the victim is tricked into downloading a ZIP file named Fact_AFIP_659341, which contains several malicious components. The use of a CAPTCHA is a notable tactic designed to bypass automated defenses, ensuring that the malware reaches its target.
The ZIP file includes a legitimate executable for GoToMeeting, named Factura_Digital_AFIP.exe, which acts as a trojan horse. This executable leverages a DLL hijacking technique to inject a malicious DLL, thus initiating the second stage of the malware. The DLL, developed in Delphi, takes advantage of known vulnerabilities in the software environment, enabling the malware to execute additional payloads within the victim’s system. By using DLL hijacking, the attackers can inject malicious code into trusted applications, bypassing security checks and escalating the chances of successful malware execution.
Following the execution of the trojan, the next phase of the infection occurs. The compromised executable downloads additional artifacts to the victim’s system, specifically two files located in the %APPDATA% directory. These files include an AutoIt V3 executable (BC12AA58.exe) and a malicious AutoIt script. AutoIt, a legitimate scripting language commonly used for automation, is exploited by the attackers to create a backdoor into the victim’s machine. The malicious script runs silently in the background, allowing the attackers to maintain persistence, capture sensitive data, and potentially expand their control over the victim’s system.
Throughout the infection chain, the attackers demonstrate a high level of technical sophistication, exploiting known vulnerabilities, leveraging trusted applications, and utilizing social engineering tactics to bypass detection. The malware’s capabilities, including the theft of banking credentials and sensitive personal information, pose significant risks to both individuals and organizations. If successful, this attack could lead to substantial financial losses, data breaches, and reputational damage. The technical complexity of Operation Gecko Assault highlights the growing challenges faced by cybersecurity professionals in defending against evolving cyber threats, particularly in Latin America, where such targeted campaigns are becoming more common. Organizations in the region must remain vigilant, enhancing their defenses to mitigate the risks posed by such advanced threats.
