Adrian Johnson
TLDR
- A new infostealer called Timbre Stealer is spreading across Mexico through tax-themed phishing attacks targeting organizations, particularly in the manufacturing and transportation industries.
- Timbre Stealer is sophisticated and uses anti-analysis techniques, custom loaders, and direct system calls to evade detection.
In a recent campaign observed by Cisco Talos, cybercriminals are infecting organizations in Mexico with a new infostealer known as Timbre Stealer through tax-themed phishing attacks. The campaign, which began in November, has targeted a wide range of industries, with a focus on manufacturing and transportation sectors. The threat actors behind Timbre Stealer have refined their phishing message to coincide with Mexico’s tax season, leveraging the timing to catch corporate targets off-guard.
Upon execution, Timbre Stealer first checks the system language and time zone to ensure it is of interest, and then employs various stealth mechanisms to avoid detection, such as custom loaders and geographic restrictions on its infrastructure access. The infostealer collects diverse data by using the Windows Management Instrumentation (WMI) interface and scanning directories for information related to various applications and popular websites.
As tax season provides a prime opportunity for financially motivated cybercriminals, organizations are advised to be vigilant and provide user training on the prevalence of tax-based spam. In addition to a defense-in-depth approach to cybersecurity, raising awareness about tax-related phishing attacks can help mitigate the risks associated with campaigns like Timbre Stealer.
