GBHackers

TimbreStealer Malware Targets Mexico Companies With Advanced Evasion Techniques


A new campaign linked to the TimbreStealer information stealer that specifically targets Mexican companies, employing layered evasion and sophisticated runtime tricks to frustrate detection and analysis.

Researchers Euler Neto and Cristóbal Tárraga detail behaviors that echo a 2024 Cisco Talos report while highlighting a notable variant: the use of DLL side‑loading with unusually large malicious DLLs (45–50 MB) masquerading as legitimate updater libraries such as msedgeupdate.dll and goopdate.dll.

The campaign’s initial vector is targeted phishing delivering ZIP archives hosted on DigitalOcean IPs (for example, hxxps://68[.]183[.]155[.]111).

Filenames reference Mexican fiscal artifacts CONTENIDO, COMPROBANTES, CFDI leveraging the country’s mandatory electronic invoicing (CFDI) process to increase click rates.

Inside the ZIPs attackers place what appears to be legitimate updater binaries alongside the oversized malicious DLL; the abnormal DLL size becomes a key detection heuristic because genuine updater DLLs are typically under 500 KB.

File downloaded from a link sent in a Phishing email (Source : WatchGuard).

Static inspection of the malicious DLLs reveals heavy anti‑analysis measures. Binaries contain 27 sections, many zeroed and used as allocated memory regions to hold dynamically generated content.

Section 1 implements manual parsing of the PEB and exporting tables, enabling a custom API resolver that avoids standard import tables.

Section 4 houses two RC4 decryption routines that produce strings such as “Zw” and “ntdll.dll,” indicating direct syscall usage and attempts to hide dependencies by resolving syscalls internally.

TimbreStealer Malware attack

WatchGuard said in a report shared with GBhackers, a campaign associated to TimbreStealer, which is known to target companies based in Mexico.Exports are randomized, and core actions occur within DllMain (DLLEntry), where long byte-manipulation sequences fill internal byte arrays used later in decryption and execution flows.

Two RC4 decrypt functions in Section 4. Decrypt 01 (left) and Decrypt 02 (right) (Source : WatchGuard).
Two RC4 decrypt functions in Section 4. Decrypt 01 (left) and Decrypt 02 (right) (Source : WatchGuard).

Decryption proceeds in stages. A 256‑byte key is algorithmically generated and passed, along with a 0x3A7C00‑byte block in Section 3, into decryptor routines that reveal a PE‑like payload with deliberately corrupted header bytes (PE signature bytes zeroed) to hinder automatic PE recognition.

The decrypted payload, mapped as a 32‑bit PE with four sections, contains loader logic and several internal calls; execution terminates via ExitProcess at an early stage, concealing further code paths.

Runtime checks enforce robust geofencing and anti‑analysis: the malware queries UI language (rejecting Russian locales), validates time‑zone bias consistent with UTC‑5 to UTC‑8 (matching Mexico), and restricts execution to specific epoch windows.

Additional runtime gates inspect desktop window ownership and use mutable global keys whose values depend on precise call ordering, complicating emulation and deterministic analysis.

Google Chrome and Microsoft Edge being defined as targets  (Source : WatchGuard).
Google Chrome and Microsoft Edge being defined as targets (Source : WatchGuard).

Once active, TimbreStealer performs broad data collection focused on browsers and user data stores. It targets Google Chrome and Microsoft Edge user data folders, Firefox profiles, Thunderbird and Postbox mail stores, and cloud sync folders (OneDrive, Dropbox).

The malware issues SQL queries against browser SQLite DBs (History, Urls, Visits) and even rebuilds databases via VACUUM, suggesting data extraction and exfiltration preparation.

Observed privilege escalation attempts include invoking runas via ShellExecuteExW, searching for specific window classes to manipulate UI focus, and instantiating COM objects via CoCreateInstance.

Infrastructure reuse of legitimate cloud hosting (DigitalOcean) and the use of trusted updater names for side‑loading underline the campaign’s operational maturity.

This activity maps closely to Cisco Talos’ 2024 findings while adding the new large‑DLL side‑loading artifact and more elaborate multi‑stage decryption.

Defenders should prioritize monitoring for unusually large updater DLLs, ZIP downloads from cloud IPs carrying fiscal-themed filenames, anomalous access to browser SQLite files and VACUUM calls, and evidence of direct syscall resolution or modified PE headers.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link