Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Latin America. Show all posts
Threat Landscape
Cyber Security Latin America Operation Escaneo Threat Landscape

Operation Escaneo Signals Shift in Latin America Cyber Threat Landscape

 

Operation Escaneo is a warning sign for Latin America’s cybersecurity ecosystem, showing that financially motivated attackers are adopting more advanced intrusion methods. The campaign, uncovered through an exposed attacker server, targeted government, financial, and critical infrastructure organizations across Mexico, with smaller activity in Ecuador and Portugal. Researchers say the operation reflects a shift in the region, where threat actors are increasingly combining opportunistic motives with sophisticated tooling. 

The attackers relied heavily on internet-facing vulnerabilities to gain entry. Reporting links the campaign to Fortinet FortiOS SSL-VPN and Ivanti Connect Secure flaws, along with other exploits involving Apache Tomcat, Windows, and Log4Shell. Rather than depending on a single vulnerability, the group appears to have built a flexible intrusion chain that could adapt to different environments, increasing its chances of success and making defense more difficult. 

Once inside, the operation used multiple layers of persistence and control. CloudSEK’s findings, as summarized by Infosecurity Magazine, describe Neo-reGeorg webshells, Chisel reverse tunnels, and even a compromised Cisco router configured with a GRE tunnel to maintain access. These methods helped the attackers stay connected while blending into normal traffic, a tactic that can evade host-based security tools and delay detection. 

The damage was not limited to access alone. Analysts reported large-scale theft of sensitive data, including personal records, Active Directory maps, SSL private keys, SAP service-account hashes, and browser-stored passwords. That level of exposure creates serious risks for identity abuse, lateral movement, and further compromise, especially in public-sector and financial environments where trust and encryption keys are critical assets.

Operation Escaneo is a reminder that Latin American defenders should prioritize patching perimeter appliances, monitoring for unusual tunneling activity, and limiting the spread of privileged credentials. The campaign’s scale and tradecraft suggest that regional attackers are moving closer to APT-level capability, with the potential to disrupt operations far beyond the initial breach.
Read more »
Windows
Casbaneiro ClickFix Attacks Europe Gmail Latin America malware Phishing emails Windows

Hackers Use Fake Legal Emails to Spread Casbaneiro Malware

 



A coordinated phishing operation is targeting Spanish-speaking users in both Latin America and Europe, using layered infection methods to deploy banking malware on Windows systems.

The campaign delivers the Casbaneiro trojan, also referred to as Metamorfo, and relies on an additional malware strain called Horabot to assist in spreading the infection. Investigators have linked the activity to a Brazil-based cybercrime group tracked as Augmented Marauder and Water Saci, which was first publicly reported by Trend Micro in October 2025.

Technical findings shared by BlueVoyant researchers Thomas Elkins and Joshua Green show that the attackers operate through multiple entry points. Their approach combines phishing emails, automated messaging through WhatsApp, and social engineering techniques such as ClickFix. This setup allows them to simultaneously target everyday users and corporate environments. While WhatsApp-based scripts are mainly used to reach consumers in Latin America, the group also runs an email takeover mechanism aimed at breaching business systems in both Latin America and Europe.

The attack begins with an email crafted to resemble a legal notice, often framed as a court-related message. Recipients are urged to open a password-protected PDF file attached to the email. Inside the document, a link directs the user to a harmful website, which triggers the download of a compressed ZIP file. Opening this file leads to the execution of intermediate components, including HTML Application files and Visual Basic scripts.

The VBS script conducts several checks before continuing, including verifying the presence of antivirus tools such as Avast. These checks are designed to avoid analysis or detection. Once completed, the script contacts an external server to download further payloads. Among these are AutoIt-based loaders that unpack encrypted files with extensions like “.ia” and “.at,” eventually activating both Casbaneiro and Horabot on the infected system.

Casbaneiro serves as the main malware responsible for financial theft, while Horabot is used to expand the attack’s reach. After installation, Casbaneiro communicates with a command server to retrieve a PowerShell script. This script uses Horabot to extract contact lists from Microsoft Outlook and send phishing emails from the victim’s own account.

A key change in this campaign is the use of dynamically generated phishing documents. Instead of distributing a fixed malicious file, the malware sends a request to a remote server, including a randomly created four-digit code. The server responds by generating a unique, password-protected PDF designed to mimic a Spanish judicial summons. This file is then attached to phishing emails sent to new targets, making each message appear more personalized and credible.

The operation also uses a secondary Horabot-related file that acts as both a spam tool and an account hijacker. It targets email services such as Yahoo, Gmail, and Microsoft Live, enabling attackers to send phishing messages through compromised Outlook accounts. Researchers note that Horabot has been used in attacks across Latin America since at least November 2020.

Earlier campaigns linked to Water Saci relied heavily on WhatsApp Web to spread malware in a self-propagating manner, including banking threats like Maverick and Casbaneiro. More recent activity, as observed by Kaspersky, shows the use of ClickFix tactics, where users are tricked into executing malicious HTA files under the pretense of resolving technical issues.

Researchers conclude that the attackers are continuously refining their methods by combining multiple delivery channels. The use of WhatsApp automation, dynamically generated PDF lures, and ClickFix techniques allows them to bypass security controls more effectively. The group appears to operate parallel attack chains, switching between WhatsApp-driven distribution and email-based infection methods powered by Horabot, depending on the target environment.

This activity points to a wider change in how cybercriminal operations are structured, where threat actors increasingly depend on adaptable tactics, automated tools, and manipulation of user behavior to maintain and expand attacks across different regions.

Read more »
Subscribe to: Posts (Atom)