Priya Patel
TLDR:
- A recent phishing campaign in Latin America used ZIP attachments with HTML files disguised as invoices, utilizing free, temporary email addresses with the domain “temporary.link”.
- The campaign targeted users in Mexico with a phishing scheme, redirecting victims to a page requesting human verification and leading to the download of a malicious RAR archive containing a PowerShell script for gathering victim’s information.
Hackers have been weaponizing suspended domains to deliver malware payloads through sophisticated phishing campaigns. One recent phishing campaign in Latin America specifically targeted users in Mexico by utilizing free, temporary email addresses with the domain “temporary.link”. The attackers created a potentially malicious URL within an HTML file disguised as an invoice, aiming to trick recipients into downloading malware. The URL, once accessed, led to an IP address and a Cloudflare captcha page when accessed from a Mexican IP.
The script contained in the malicious RAR archive gathered information from the victim’s machine, including the computer’s name, operating system, and antivirus presence. Furthermore, the script contained encoded URLs that initiated further malicious actions, potentially downloading additional malware onto the victim’s system. The phishing campaign employed advanced techniques such as compressed attachments, obfuscated code, and geo-targeted content to evade detection.
TrustWave identified several IoCs associated with the campaign, including specific domains and URLs that users should be cautious of. The phishing campaign illustrates the increasing sophistication of cyber attacks, making it imperative for individuals to exercise caution when opening email attachments or clicking on links. As cyber threats continue to evolve, it is crucial for users to remain vigilant and utilize security measures to protect against malware delivery and phishing campaigns.
