A new phishing marketing campaign has set its eyes on the Latin American area to provide destructive payloads to Windows devices.
“The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that prospects to a malicious file down load posing as an invoice,” Trustwave SpiderLabs researcher Karla Agregado claimed.
The email concept, the corporation said, originates from an email address structure that uses the area “short term[.]connection” and has Roundcube Webmail detailed as the Consumer-Agent string.

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The HTML file points containing a backlink (“facturasmex[.]cloud”) that displays an error message indicating “this account has been suspended,” but when visited from an IP address geolocated to Mexico, loads a CAPTCHA verification web site that employs Cloudflare Turnstile.
This step paves the way for a redirect to another area from in which a malicious RAR file is downloaded. The RAR archive comes with a PowerShell script that gathers process metadata as well as checks for the presence of antivirus software package in the compromised equipment.
It also incorporates a number of Base64-encoded strings that are designed to operate PHP scripts to determine the user’s nation and retrieve a ZIP file from Dropbox that contains “quite a few really suspicious files.”
Trustwave said the campaign exhibits similarities with that of Horabot malware campaigns that have qualified Spanish-talking end users in Latin The united states in the past.
“Understandably, from the threat actors’ issue of view, phishing campaigns always check out various [approaches] to disguise any malicious action and avoid instant detection,” Agregado explained.
“Utilizing freshly designed domains and making them available only in specific nations around the world is yet another evasion procedure. specially if the area behaves otherwise depending on their goal state.”
The improvement comes as Malwarebytes disclosed a malvertising marketing campaign targeting Microsoft Bing lookup people with bogus ads for NordVPN that guide to the distribution of a remote access trojan termed SectopRAT (aka ArechClient) hosted on Dropbox by using a phony internet site (“besthord-vpn[.]com”).
“Malvertising carries on to clearly show how easy it is to surreptitiously put in malware less than the guise of common software package downloads,” security researcher Jérôme Segura explained. “Threat actors are in a position to roll out infrastructure swiftly and effortlessly to bypass numerous information filters.”
It also follows the discovery of a pretend Java Access Bridge installer that serves as a conduit to deploy the open-source XMRig cryptocurrency miner, for each SonicWall.
The network security firm mentioned it also learned a Golang malware that “uses many geographic checks and publicly available packages to screenshot the system just before putting in a root certification to the Windows registry for HTTPS communications to the [command-and-control server].”
Observed this posting attention-grabbing? Adhere to us on Twitter and LinkedIn to read far more exclusive written content we post.
Some parts of this short article are sourced from:
thehackernews.com