A recent phishing campaign has been discovered that targets Latin America. The campaign uses emails with ZIP attachments that contain an HTML file disguised as an invoice. These emails use free, temporary email addresses with the domain “temporary.link” and spoof the User-Agent field in the header to indicate the use of Roundcube Webmail, a platform frequently abused by phishers.
The aim is to trick recipients into downloading malware. A potentially malicious URL is identified within the HTML file, which, when accessed directly, leads to a non-functional page. This indicates that the URL resolves to IP address 89.116.32.138. A TrustWave investigation reveals that the domain is young (approximately one year old) and uses Cloudflare nameservers. Some registrant contact information for this domain traces back to Mexico, raising suspicions about the URL’s legitimacy.
Attackers are targeting users in Mexico with this phishing scheme. When a specific URL is accessed with a Mexican IP, victims are redirected to a page requesting human verification. This verification step leads to the download of a malicious RAR archive, which contains a PowerShell script designed to gather information from the victim’s machine, including the computer’s name, operating system, and antivirus presence.
The script also contains encoded URLs that, when decoded, initiate further malicious actions, potentially including downloading additional malware. A malicious website encoded with a base64 string attempts to identify the user’s country through a URL, which might be part of a larger campaign similar to previous “Horabot” campaigns. Another encoded string leads to a malicious URL that downloads a ZIP archive containing suspicious files, including a newly created executable AutoIt file, suggesting potential malicious activity.
