In May 2023, hackers carried out a widespread phishing campaign, targeting both individuals and organizations in Mexico. Researchers from Perception Point, a leading cybersecurity company based in Israel, found that the operation began as early as 2021. It is estimated that over  the past two years the threat actors have defrauded more than 4,000 victims out of over $55 million.

This attack, dubbed “Manipulated Caiman” by Perception Point researchers due to its Latin American origin and mention of “Loader Manipulado” in the script of the attack, starts off as a seemingly standard phishing scam, in which the target receives an email with a supposed tax receipt attached. 

The target is lured into clicking on the attachment. By using the CFDI electronic invoice format, mandated in Mexico and used in other parts of Latin America, the threat actor effectively localizes and legitimizes the attack for the user. When the target clicks on the attachment, they inadvertently download malware, giving the attacker unauthorized access to their computer and free rein to execute the remainder of the attack flow. 

However, when a user with an IP outside of Mexico attempts to access the file, they are redirected to a legitimate website and the attack is terminated. The attacker employs a form of geofencing in the attack to evade detection and also ensure that only the desired targets are compromised. This method can make it extremely difficult for even the most advanced threat detection solutions to identify and catch. 

After the target has clicked on the attachment, they effectively install a multi-layered script, containing executables, which monitors the websites that the user visits. It compares accessed URLs to its catalog of targeted banking sites. The script injects a command into the user’s browser that will retrieve the user’s cookie value from banking sites and send it to the threat actor’s C2 server. 

To further complicate detection, the attacker hosts the payload on a trusted WordPress-based site. This deters detection, as the compromised site likely has a high reputation, unlike typical phishing sites. 

What comes next is what the attacker hopes is the end to a successful phishing excursion: the user enters their bank credentials, only for the attacker to steal them along with the victim’s money. The script downloaded from the initial phishing email fetches the next-stage payload and establishes persistence using AutoIT Downloader and InfoStealer techniques. This script not only steals sensitive Outlook and Chrome credentials from infected machines but also exfiltrates the stolen data by sending a carefully crafted POST request to specific URLs.

Even a Caiman Can’t Hide Forever

One question remains: How did this threat actor remain largely undetected and operational for so long? 

Perception Point researchers discovered that the C2 server had a Django REST framework hosted on it, revealing an open API URL that contained a range of logs and data tables. They also found a control panel login page present in all the C2 servers identified (four so far).

The attacker uses the panel for efficient email distribution and to control the content and dissemination of their phishing messages. It enables the attacker to manipulate sender names, subjects, email content, and even select SMTPs for widespread campaigns, like the one distributed in May 2023.

However, the actual act of spamming is delegated to a botnet, allowing for mass distribution and amplifying the impact of their malicious campaigns. 

Through further research, a pattern emerged: the majority of the IP addresses involved in these attacks were traced back to private IP addresses predominantly located in Mexico. This crucial finding led to the realization that in the event of a successful infection, the attacker downloads and stores tools like Ascan and other malware on the victim’s computer, ensuring persistence and providing an avenue for continued unauthorized access. In layman’s terms: the attacker uses victims’ computers to distribute the attack.

In addition to the discovery of the distribution method, the open API URL contained tables that held crucial data, including the victims’ account balances, dates of infection, latest transactions, and, in some instances, screenshots of their compromised bank accounts. 

By aggregating and analyzing data from multiple C2 servers, researchers found that the number of victims identified surpassed 4,000. Based on the balance amounts in the compromised accounts, the analysts estimate a potential theft of over $55 million.

The extent of this attack is further underscored by the timeline of the infections. The earliest sign of infection can be traced back to 2021, implying a protracted campaign that has remained under the radar for nearly two years. This longevity speaks to the attacker’s ability to evade detection, yet also begs the question of how they could have been so careless with their OpSec decisions. 

While there is no easy answer why the threat actor slacked on operations security, Perception Point’s researchers believe that it has to do with a lack of repercussions for cybercrime in Mexico and the region.

Thank you to Igal Lytzki, Perception Point Threat Analyst & IR Team Lead, @Merlax, and others for their research on subject.