A sophisticated phishing operation is targeting Spanish-speaking users in corporate environments across Latin America and Europe. The campaign delivers the Casbaneiro banking trojan, also known as Metamorfo, by using dynamic PDF files as lures to distribute another malicious program called Horabot. Security researchers attribute this activity to a Brazilian cybercrime group tracked as Augmented Marauder and Water Saci.
Campaign Mechanics and Initial Discovery
The campaign begins with phishing emails containing PDF attachments. These are not static documents; they are dynamic PDFs that change their content based on the victim’s geographic location. This technique, known as geofencing, allows the attackers to display different, region-specific lures to increase the likelihood of a successful infection.
When a user in the targeted region opens the PDF, it displays a message prompting them to click a link. This link leads to a password-protected ZIP archive file hosted on a cloud storage service. The password for the archive is conveniently provided within the PDF document itself, a tactic designed to bypass basic email security filters that scan for unprotected executable files.
Malware Deployment Chain
Once the user extracts the contents of the ZIP file, they execute a malicious downloader. This downloader’s primary function is to retrieve and install the Horabot malware onto the victim’s Windows system. Horabot acts as a loader and a backdoor, creating a persistent presence on the compromised machine.
Its final payload is the Casbaneiro banking trojan. Casbaneiro is a well-known financial threat designed to steal credentials and session cookies from online banking platforms and cryptocurrency wallets. It employs sophisticated web injection techniques to modify banking websites in real-time, tricking users into entering sensitive information that is then captured and sent to the attackers’ command and control servers.
Attribution and Historical Context
The threat actor behind this campaign was first documented by cybersecurity firm Trend Micro. The group, operating out of Brazil, has a history of targeting financial institutions in Latin America. The use of geofenced PDFs and a multi-stage delivery chain involving Horabot represents an evolution in their tactics, indicating a continued investment in developing more evasive and effective attack methods.
This campaign demonstrates a clear focus on Spanish-speaking employees within organizations, suggesting the attackers are seeking initial access to corporate networks. A compromised business computer can serve as a launching point for further attacks, including data theft or lateral movement towards more valuable financial systems.
Security Implications and Recommendations
The use of cloud storage for hosting malware and geofencing techniques presents significant challenges for traditional email security gateways. The dynamic nature of the PDF lures makes them harder to detect with signature-based antivirus solutions alone.
Security experts recommend that organizations, particularly those with operations in the affected regions, implement user awareness training focused on identifying sophisticated phishing attempts. Technical defenses should be bolstered with behavior-based detection systems that can identify malicious activity from downloaders and payloads like Horabot and Casbaneiro, regardless of the initial delivery method.
Looking ahead, cybersecurity analysts expect this threat actor to continue refining its techniques. The success of this geographically targeted campaign may lead to similar operations against other linguistic or regional groups. Continued monitoring of the group’s infrastructure and malware variants will be crucial for developing effective countermeasures and protecting potential targets from future attacks.
Source: Trend Micro
