REF6045 is an operator-assisted Mexican banking fraud operation that uses fake CAPTCHA pages to trick victims into running a command that installs the SCMBANKER PowerShell toolkit. SCMBANKER enables session monitoring, vishing overlays, browser redirects, clipboard manipulation, Remote Utilities deployment, and other controls across Mexico’s financial ecosystem, while exposed infrastructure, open directories, and script artifacts reveal weak OPSEC and likely AI-assisted development. #REF6045 #SCMBANKER #RemoteUtilities #FakeUpdate #ElasticSecurityLabs
Keypoints
- REF6045 uses ClickFix-style fake CAPTCHA pages to induce victims to run a single command that installs SCMBANKER.
- SCMBANKER is a PowerShell toolkit with components dating back to at least October 2025 and is operated manually rather than fully automated.
- The toolkit monitors banking sessions and can trigger screenshot capture, phishing redirects, vishing overlays, and clipboard replacement.
- Targets include Mexico’s retail banks, business banking portals, fintechs, payment processors, cryptocurrency exchanges, investment platforms, SAT, and telecom services.
- The operation can silently install and configure Remote Utilities Host for persistent hands-on access to victim machines.
- Operator OPSEC mistakes exposed open directories, a leaked web-root archive, and an unauthenticated editor that revealed tooling and targeting logic.
- The scripts show strong signs of AI-assisted writing, with repeated banner comments, clean function naming, and generation artifacts.
MITRE Techniques
- [T1059.001 ] PowerShell – The toolkit is delivered and executed through PowerShell scripts for staging, monitoring, updating, and command execution (‘it installs SCMBANKER, a PowerShell toolkit’).
- [T1053.005 ] Scheduled Task/Job: Scheduled Task – Persistence is achieved through logon-triggered execution paths and repeated relaunch behavior (‘Registry Run key … runs hidden PowerShell launching run.vbs’).
- [T1547.001 ] Registry Run Keys / Startup Folder – Persistence is established with a Run key and Startup folder copies of run.vbs (‘HKCU…Run, value “run”‘).
- [T1112 ] Modify Registry – The malware imports a registry blob to configure Remote Utilities Host and alters uninstall-related registry entries (‘imports a registry blob into HKLMSOFTWAREUsorisRemote Utilities HostHostParameters’).
- [T1056.001 ] Keylogging – A keylogging path exists via key.ps1 and rotor.ps1, indicating keyboard capture capability (‘the presence of rotor.ps1 and key.ps1 shows an additional keylogging capability’).
- [T1115 ] Clipboard Data – The clipboard is used to insert malicious commands and to replace copied banking account data (‘copying the malicious command to the victim’s clipboard’ and ‘replace the destination account’).
- [T1056.001 ] Input Capture: Keylogging – The keylogger module polls keyboard input and exfiltrates host data (‘Telegram-backed keylogger’).
- [T1564.003 ] Hidden Window – Scripts are launched with hidden windows and hidden implant directories to reduce visibility (‘runs hidden PowerShell’ and ‘attrib +h +s’).
- [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – The toolkit checks elevation and manipulates the environment to delay or frustrate analysis (‘checks if it is running as admin via net session’).
- [T1057 ] Process Discovery – The banking monitor inspects visible window titles and processes to detect target activity (‘checks all visible window titles every second’).
- [T1204.001 ] User Execution: Malicious Link – Victims are socially engineered into running a command from a fake verification page (‘asks the visitor to complete an image challenge’).
- [T1105 ] Ingress Tool Transfer – Multiple components are downloaded from open directories and remote URLs (‘All malicious scripts, files, and binaries are pulled individually via bitsadmin’).
- [T1027 ] Obfuscated Files or Information – Win32 API names and scripts are Base64-encoded or otherwise obscured (‘Base64-encodes its Win32 API names’).
- [T1021.001 ] Remote Services: Remote Desktop Protocol – The operation installs a remote-access product to obtain interactive access (‘deploy a commercial remote-access tool’).
- [T1021.002 ] Remote Services: SMB/Windows Admin Shares – Files are staged into public directories and reused across startup/persistence paths, consistent with local admin-style deployment (‘downloads the installer to C:UsersPublic’).
- [T1055 ] Process Injection – Not explicitly stated as injection, but the toolkit uses process-mutation rotators and launcher wrappers to continually respawn payloads (‘short-lived wrappers’).
Indicators of Compromise
- [IPv4 ] File server / validation host – 68.211.161[.]46, 216.250.112[.]100, and 185.242.246[.]169
- [Domain ] ClickFix / toolkit infrastructure – ratonvaquero2026[.]online, monteviral2026.duckdns[.]org, osogransd[.]online
- [Domain ] C2 / operator panel – negratomasa2026[.]online, gestionmontelavaria2026[.]online
- [Domain ] Tracking / lure endpoint – ssinvestigaciones[.]com, bancaporinternetbbmx[.]online
- [File name ] First-stage and launcher scripts – validation.txt, run.vbs, cliente.ps1, jujuzkt.ps1
- [File name ] Toolkit modules – mensaje1.ps1, rotor1.ps1, clip.ps1, clip2.ps1, avs.ps1, remoto.ps1, edifhjwe.ps1
- [File name ] Remote access and setup artifacts – hosts.msi, zkt.zip, 99.kut, id.txt, comando.txt
- [SHA-256 ] Exposed archive and key scripts – b30cb0aa977aacdab94d2ef503186c8f0b2fc10d7cf0d7c7c0ada70c127dc7e8, ff3555154e91e42490cc722b6c7f3c4c91654b7ef53a35d0719ffb89accf1b27, 526287a40aad1b218228cdd1f459ad3b93f858585048347644d597c6ab19515a, and other 20+ hashes
Read more: https://www.elastic.co/security-labs/mexican-banking-fraud-scmbanker-ref6045