A recent phishing campaign has honed in on the Latin American region, aiming to infiltrate Windows systems with malicious payloads. Trustwave SpiderLabs researcher Karla Agregado detailed the tactics, revealing that the campaign involves phishing emails containing ZIP file attachments. These ZIP files, when extracted, reveal HTML files leading to fake invoice downloads. Notably, the campaign leverages sophisticated techniques like using specific domain formats and employing geolocation-based redirections to evade detection.
The emails originate from addresses using the domain “temporary[.]link” and employ Roundcube Webmail as the User-Agent string. Despite displaying an error message on initial inspection, the HTML files actually lead to a CAPTCHA verification page upon visitation from Mexican IP addresses. This is followed by redirection to another domain where a malicious RAR file is downloaded, containing a PowerShell script that gathers system metadata and checks for antivirus presence.
Trustwave highlights similarities between this campaign and past Horabot malware endeavors, suggesting a concerted effort to target Spanish-speaking users in Latin America. Karla Agregado underscores the evolving nature of phishing tactics, emphasizing the use of newly created domains accessible only in specific countries as a evasion technique. This development coincides with the unveiling of other cyber threats, including malvertising campaigns and fake software installers, showcasing the ongoing challenges posed by cybercriminal activities.
