A new phishing campaign has been discovered targeting the Latin American region, using malicious HTML files disguised as invoices. The emails contain a ZIP file attachment that, when extracted, reveals an HTML file leading to a malicious file download. The campaign exhibits similarities with previous malware campaigns that have targeted Spanish-speaking users in Latin America.

Phishing attacks continue to be a significant threat, and this campaign specifically targets Latin America, highlighting the importance of regional cybersecurity awareness and protection.

The Means

Cybercriminals are launching a phishing campaign in Latin America, using emails with malicious attachments disguised as invoices.

The emails originate from an email address format that uses the domain "temporary.link" and has Roundcube Webmail listed as the User-Agent string.

The HTML file in the attachment contains a link ("facturasmex.cloud") that displays an error message when visited from certain IP addresses but loads a CAPTCHA verification page when visited from a Mexican IP address.

The CAPTCHA verification page uses Cloudflare Turnstile, paving the way for a redirect to another domain where a malicious RAR file is downloaded.

The RAR archive contains a PowerShell script that gathers system metadata, checks for antivirus software, and runs PHP scripts to determine the user's country and retrieve a ZIP file from Dropbox containing suspicious files.

The Motive

The phishing campaign aims to deceive users into downloading and executing malicious files disguised as invoices, potentially compromising their Windows systems.

The use of newly created domains and specific country-based accessibility helps the threat actors evade detection and adds layer of obfuscation to their activities.