TimbreStealer Malware Spreads through Tax-themed Phishing Scam Targets IT Users.

Mexican users have been targeted by tax-themed phishing scams since November 2023 to distribute a Windows malware called TimbreStealer. The phishing campaign uses sophisticated obfuscation techniques and geofencing to target users in Mexico, returning an innocuous PDF file instead of the malicious one. The malware includes embedded modules for orchestration, decryption, and protection of the main binary, as well as checks to determine if the system is running in a sandbox environment, not Russian, and within a Latin American region. The orchestrator module checks for files and registry keys to ensure the machine hasn't been infected. The payload is designed to harvest a wide range of data, including credential information, system metadata, URLs accessed, files matching specific extensions, and verifying remote desktop software presence. The disclosure comes amid the emergence of a new version of Atomic (aka AMOS), which can gather data from Apple macOS systems using an unusual combination of Python and Apple Script code. The new variant drops and uses a Python script to stay covert, similar to the RustDoor backdoor.

Source: The Hacker News