Cybercriminals have been found spreading a new infostealer throughout Mexico, targeting organizations with tax season-related phishing scams rather than individual consumers. This campaign, as reported by Cisco Talos, began in November with the emergence of “Timbre Stealer,” a versatile infostealer that has since infiltrated various industries, including manufacturing and transportation.
The threat actors behind this campaign have recently refined their phishing tactics, taking advantage of Mexico’s tax season timing to catch corporate targets off guard and further propagate Timbre Stealer. This strategic move coincides with the tax season in the United States, creating a window of opportunity for cybercriminals to exploit unsuspecting victims.
Upon activation, Timbre Stealer conducts a thorough check of the infected system to ensure it meets specific criteria. It verifies the system language is not Russian, suggesting a possible connection to the threat actor’s origin, and confirms the time zone aligns with Latin America. Additionally, the malware confirms that the system has not been previously infected and is not operating within a sandbox environment. To elude detection, Timbre Stealer utilizes custom loaders, bypasses standard API monitoring through direct system calls, and restricts access to its infrastructure based on geographic location.
Guilherme Venere, a threat researcher for Cisco Talos, describes the anti-analysis techniques employed by the authors of Timbre Stealer as exceptionally robust, making it challenging for researchers and security tools to dismantle and detect the malware. Once implanted, the infostealer collects a wide range of data by leveraging Windows Management Instrumentation interface and registry keys, scanning essential directories for information. It targets various types of files associated with popular applications and websites, indicating a comprehensive data collection strategy.
The prevalence of tax-related cyber scams during tax season poses a significant threat to organizations and individuals alike. According to Venere, cybercriminals capitalize on the financial incentives and access to valuable personal information inherent in tax activities. The complexity and stress associated with tax obligations create a fertile ground for cyber attackers to exploit unsuspecting victims who may be less vigilant in their online activities.
In the current campaign, cybercriminals have tailored their phishing messages around Mexico’s “Comprobante Fiscal Digital por Internet” (CFDI), the country’s electronic invoice standard for tax reporting. By using familiar and official-sounding lures, such as online fiscal digital invoices, attackers lure unsuspecting targets into downloading Timbre Stealer unknowingly. To combat such threats, Venere emphasizes the importance of user training on tax-related spam and the implementation of a defense-in-depth cybersecurity approach, particularly within the finance sector.
As tax season approaches, organizations must remain vigilant against the escalating threat of cyber scams targeting financial and personal information. By raising awareness, implementing robust security measures, and providing targeted training, businesses can mitigate the risks posed by sophisticated cybercriminals looking to exploit the vulnerabilities of tax-related activities.