TimbreStealer Malware Spread by Tax-themed Phishing Scam Targets IT Users

February 28, 2024NewsroomPhishing / Malware Attacks

StampStealer Malware

Users in Mexico have been targeted by tax-themed phishing lures since at least November 2023 to distribute an undocumented Windows malware called. StampStealer.

Cisco Talos, that is discovered The activity, describes the authors as skilled and that the “threat actor previously used similar tactics, techniques and methods (TTPs) to distribute a banking trojan known as Mispadu in September 2023.

In addition to using sophisticated obfuscation techniques to avoid detection and ensure continuity, the phishing campaign uses geofencing to target users in Mexico, returning a harmless blank PDF file instead of the malicious if payload sites are contacted from other locations.

Some of the notable escape maneuvers include using custom loaders and direct system calls to bypass standard API monitoring, in addition to using Heaven’s Gate to execute 64-bit code. inside a 32-bit process, a method recently adopted by HijackLoader.


The malware comes with several embedded modules for orchestration, decryption, and protection of the primary binary, while also running a series of checks to determine if it is running in a sandbox environment. , the system language is not Russian, and the timezone is within a Latin American one. region.

The orchestrator module also looks for files and registry keys to double check that the machine has not been infected before, before launching a payload installer component that presents a benign decoy file to the user, because as this ultimately triggers the execution of TimbreStealer’s primary payload.

The payload is designed to harvest a wide range of data, including credential information from various folders, system metadata, and the URLs accessed, search for files that match specific extension, and verifying the presence of remote desktop software.

StampStealer Malware

Cisco Talos said it was aware of overlaps with a Mispadu spam campaign observed in September 2023, although TimbreStealer’s target industries were diverse and focused on the manufacturing and transportation sectors.

The disclosure comes amid the emergence of a new version of another information thief called Atomic (aka AMOS), which is able to collect data from Apple macOS systems such as local user account passwords, credentials from Mozilla Firefox and Chromium-based browsers, crypto wallet information, and files of interest, using a unique combination of Python and Apple Script code.


“The new variant drops and uses a Python script to stay hidden,” Bitdefender researcher Andrei Lapusneanu SAYSnoted the Apple Script block for collecting sensitive files from the victim’s computer showed a “significantly high level of similarity” to the RustDoor backdoor.

It also follows the emergence of new families of stealth malware such as XSSLitewhich was released as part of a malware development contest hosted on the XSS forum, even as existing strains such as Agent Tesla and Ponies (aka Fareit or Siplog) continues to be used for information theft and subsequent sale on stealer logs marketplaces such as Exodus.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment