New Information Stealer Malware 'TimbreStealer' Is Targeting Mexican Users: Report

An information stealer malware has emerged to be one of the biggest threats recently. This malware has been proven dangerous for organizations and individuals alike. 

Cisco Talos, an Intelligence Group, discovered a new campaign operated by a threat actor distributing a previously unknown malware called "TimbreStealer." The group describes the authors as skilled and that the "threat actor has previously used similar tactics, techniques, and procedures (TTPs)" to pull off a banking fraud known as Mispadu in September 2023, as per the report.

The phishing campaign is pretty advanced and can employ sophisticated techniques that sidestep detection and ensure persistence. This particular phishing campaign makes use of geofencing to target users in Mexico, as mentioned in the report.

They lure the victims to download a new obfuscated information stealer that the company is calling "TimbreStealer". They also use phishing emails with financial schemes directing the people to a shady website where the payload is hosted. Some of the evasive techniques used include leveraging custom loaders and system calls to bypass the main API monitoring. They also use Heaven's Gate to execute 64-bit code within a 32-bit process which is a pretty well-known approach.

Talos also saw other distribution campaigns that have been conducted by this actor since 2023. The current spam run mainly used Mexico's digital tax receipt standard called CDFI. This malware has many embedded modules for decryption and protection of the main binary as well as orchestration. The malware can also run a series of checks to determine if it's running a sandbox environment. It was also seen that the orchestrator module took files and registry keys to double-check that the machine hadn't been previously attacked before it finally launched a payload installer that displayed a file to the user and then triggered the execution of TimbreStealer's primary payload.

This payload is specifically designed to get a range of data starting from credential information to system metadata and more. The payload is also capable of looking for files that match the specific extension and verifying the presence of remote desktop software. 

The orchestrator has four other encrypted sub-modules within it. "Each stripped DLL is loaded by a custom shellcode loader from submodule #0 (IDX = 0). Execution is transferred to this shellcode through a Heaven’s Gate stub using the ZwCreateThreadEx API," the analysis reads.

TimbreStealer is also capable of collecting OS information, and it does that by using the Windows Management Instrumentation interface and registry keys. Here's the report, if you want to know more about the malware, like indicators of compromise and other capabilities. 

The revelation comes after the new version of another information stealer called Atomic emerged a few months back. Atomic, which is also called AMOS, can gather data from Apple macOS systems. Information like credentials from Mozilla Firefox and Chromium-based browsers, crypto wallet information as well as other account passwords can be compromised.

"The new variant drops and uses a Python script to stay covert," Bitdefender researcher Andrei Lapusneanu said about Atomic. According to an IBM X-Force report, info stealer-related malware has increased by 266% in 2023 and the number is set to rise in 2024.

"These challenges are why organizations must enforce multi-factor authentication for all accounts, strengthen their IAM systems, and stress-test their environments," the report reads.