HomeCyber BalkansTimbreStealer Malware Employs Advanced Evasion Techniques to Target Companies in Mexico

TimbreStealer Malware Employs Advanced Evasion Techniques to Target Companies in Mexico

Published on

spot_img

New Campaign Targets Mexican Companies with Sophisticated TimbreStealer Malware

A newly identified campaign associated with the TimbreStealer information-stealing malware is strategically focusing on Mexican companies, utilizing layered evasion techniques and intricate runtime tricks in an effort to evade detection and frustrate analysis efforts. This alarming development was reported by researchers Euler Neto and Cristóbal Tárraga, who have detailed the campaign’s intricate behaviors that echo findings from a 2024 Cisco Talos report. Among the highlights is a significant variant that employs DLL side-loading coupled with unusually large malicious DLLs, ranging between 45 to 50 MB, which masquerade as legitimate updater libraries such as msedgeupdate.dll and goopdate.dll.

The campaign initially infiltrates targeted organizations through phishing attacks that deliver ZIP archives hosted on DigitalOcean’s IP addresses, specifically designed to draw in victims. Notably, the filenames of these ZIP files reference Mexican fiscal artifacts, such as CONTENIDO, COMPROBANTES, and CFDI, effectively leveraging the country’s mandated electronic invoicing process to increase click-through rates among unsuspecting employees.

Inside these ZIP files, attackers embed files that appear to be legitimate updater binaries, alongside the oversized malicious DLLs. This peculiar DLL size serves as a critical detection heuristic, as authentic updater DLLs typically do not exceed 500 KB. The malicious DLLs contain heavy anti-analysis measures, with static inspections revealing a structure of 27 sections, many of which are zeroed out and repurposed as allocated memory regions for dynamically generated content.

One of the notable sections in the DLL implements manual parsing of the Process Environment Block (PEB) and exporting tables, which allows for the creation of a custom Application Programming Interface (API) resolver that circumvents standard import tables. The fourth section contains two RC4 decryption routines that yield strings like "Zw" and "ntdll.dll," pointing toward direct syscall usage and attempts to conceal dependencies by resolving syscalls internally.

According to a report from WatchGuard shared with GBHackers, this campaign demonstrates operational maturity characterized by the randomization of exports and core actions executed within DllMain (DLLEntry). Here, intricate byte manipulation sequences populate internal byte arrays, which are later utilized in various decryption and execution processes.

The decryption process proceeds in stages, where a 256-byte key is algorithmically generated and coupled with a specific byte block in Section 3, directed into decryptor routines. These routines unveil a payload structured similarly to a Portable Executable (PE) file but deliberately corrupt the header bytes to hamper automatic PE recognition.

Once decrypted, this payload is instantiated as a 32-bit PE with four sections, containing loader logic and several internal calls. However, execution is terminated early via the ExitProcess command, effectively concealing additional code pathways. Further enhancing its stealth, the malware employs runtime checks to enforce strong geofencing and anti-analysis measures, scrutinizing the user interface language, validating time-zone bias to fit within UTC-5 to UTC-8 (which aligns with Mexico), and restricting execution to specific time frames.

The malware’s capability extends to performing extensive data collection focused on browser and user data stores. Specifically, it targets user data folders of Google Chrome and Microsoft Edge, as well as profiles from Firefox and mail stores from Thunderbird and Postbox. Additionally, it makes attempts to access cloud sync folders such as OneDrive and Dropbox.

TimbreStealer utilizes SQL queries against browser SQLite databases to extract crucial data, manipulating elements like history, URLs, and visits, and even engages in database rebuilding via VACUUM commands. This suggests a comprehensive approach to data extraction and exfiltration preparation.

Moreover, the malware incorporates privilege escalation tactics, invoking commands through the ShellExecuteExW function, and manipulating the user interface focus by searching for specific window classes. The reuse of legitimate infrastructure, namely cloud hosting services like DigitalOcean, and the deliberate use of trusted updater names for DLL side-loading, highlight the operational sophistication behind this campaign.

The findings presented by Neto and Tárraga closely mirror those detailed by Cisco Talos, yet they also unveil the novel use of large-DLL side-loading and more intricate multi-stage decryption strategies. Cybersecurity professionals and organizations in the region are urged to increase vigilance, particularly in monitoring for unusually large updater DLLs, observing ZIP downloads from legitimate cloud IPs with fiscal-themed filenames, and identifying any anomalous access to browser SQLite files and VACUUM commands. Immediate attention to direct syscall resolutions or modified PE headers may also be necessary to thwart this sophisticated malware campaign.

In summary, the TimbreStealer malware campaign represents a significant threat to Mexican companies, employing advanced techniques to evade detection and gather sensitive information, necessitating heightened awareness and preventive measures from organizations within the region.

Source link

Latest articles

Ransomware Groups Adopt Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Anubis Ransomware Operation: Exploiting Vulnerabilities for Malicious Gains The Anubis ransomware operation has recently been...

How Agentic AI Reshapes the Modern SOC

The Evolution of Cybersecurity: Embracing Agentic AI in Security Operations Centers In the ever-changing landscape...

Non-Interactive SSH Attacks Surge Post-Login

A recent study utilizing eleven SSH honeypots has illuminated critical insights into the nature...

New Avalon Malware Framework Enhances CrownX Ransomware Features

Cybersecurity researchers have uncovered a previously unknown modular malware framework known as Avalon, which...

More like this

Ransomware Groups Adopt Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Anubis Ransomware Operation: Exploiting Vulnerabilities for Malicious Gains The Anubis ransomware operation has recently been...

How Agentic AI Reshapes the Modern SOC

The Evolution of Cybersecurity: Embracing Agentic AI in Security Operations Centers In the ever-changing landscape...

Non-Interactive SSH Attacks Surge Post-Login

A recent study utilizing eleven SSH honeypots has illuminated critical insights into the nature...