Potential victims in Mexico have been targeted by the tax-themed TimbreStealer Windows malware that started in November 2023 if not earlier, according to The Hacker News.
The campaign selectively targets users in Mexico through geofencing in addition to using advanced obfuscation methods for evading detection. If the payload sites are reached from other locations, the malicious PDF is replaced with a blank one. The payload has been developed to gather information, such as system metadata, visited URLs, and multi-directory credentials, confirm if remote desktop software is installed, and search for files that match particular extensions. Some evasive techniques used include utilizing direct system calls and custom loaders to bypass the standard API monitoring and leveraging Heaven’s Gate to run a 64-bit code with a 32-bit process. Cisco Talos, which uncovered the campaign, said the threat actor used the same tactics, techniques, and procedures to deploy the Mispadu banking trojan in September 2023.
