Mexico's 'Timbre Stealer' Campaign Targets Manufacturing

Cybercriminals are spreading a new infostealer across Mexico by catching targets with tax season-related phishing lures — focusing on organizations rather than consumers.

The campaign observed by Cisco Talos goes back to November, when the first samples of "Timbre Stealer," a new unfocused but wide-ranging infostealer, first began spreading to targets via malicious emails. In the time since, it has spread to organizations across varied industries, most of all to manufacturing and transportation.

More recently, the threat actors have honed their phishing message using Mexico's tax season — the timing of which broadly overlaps with the US's — to catch their corporate targets off-guard and perpetuate the further spread of Timbre Stealer.

A Breakdown of Timbre Stealer

Upon execution, Timbre Stealer first determines if its newly infected machine is of interest. Specifically, it checks that the system language is not Russian (perhaps a hint at the threat actor behind this campaign) and that its time zone is aligned with Latin America.

Next, it double-checks that the system hasn't been previously infected and that it's not running in a sandbox environment. Other stealth mechanisms include its use of custom loaders, direct system calls that bypass standard API monitoring, and restricting access to its infrastructure only to users in a specific geographic region.

"We commonly see actors implement anti-analysis techniques; this is that on steroids," says Guilherme Venere, threat researcher for Cisco Talos. "The authors behind this threat do not just implement anti-analysis; they implement as many anti-analysis capabilities as they can, which increases the difficulty on the researcher to take it apart as well as for technology to detect it."

Once firmly planted, Timbre Stealer propagates through the victim, beginning its job collecting a vast spread of diverse data.

It uses the Windows Management Instrumentation (WMI) interface and registry keys to collect information from the operating system. It also scans a number of fundamental directories, like the Desktop, Documents, and Downloads folders, for purposes that aren't entirely clear.

Certain strings in its code suggest that it scans files and directories for information relating to apps such as Microsoft Office and OneDrive, Windows Media Player, various browsers (Firefox, Microsoft Edge, Internet Explorer, and Chrome), Dropbox, Avast, AMD, Brother, HP, Intel, and more. 

It's also interested in certain URLs relating to popular websites — Google.com, Wikipedia.org, Facebook.com, and the like — which Talos researchers speculated may have to do with network sniffing capabilities.

Beware Tax-Season Scams

Like holiday-season shopping, tax deadlines reliably provide fertile ground for financially motivated cyberattackers.

As Venere explains, "Every year we see actors taking advantage of current affairs, and tax season is one of the biggest. It unfortunately checks a lot of boxes for criminals as it involves large sums of money, valuable personally identifiable information (PII), and is something that every adult has to deal with. When you combine them, it is a perfect storm for criminals looking to make money."

Taxes are also complicated, boring, and stressful — factors that might make victims less discerning about what they click on.

In this latest campaign, for example, besides generic invoices, the attackers designed a lure around "Comprobante Fiscal Digital por Internet" (CDFI) (in English: online fiscal digital invoice), Mexico's mandatory electronic invoice standard used for tax reporting. When disinterested and unwitting targets follow the malicious link, they're led to download Timbre Stealer.

Besides a general defense-in-depth approach to cybersecurity, Venere recommends that around this time of year "organizations should be giving user training about the prevalence of tax-based spam, with a focus on those areas most likely to be impacted, like finance."