A multi-pronged phishing campaign by a Brazilian threat actor is targeting Spanish-speaking organizations in Latin America and Europe to deploy banking trojans. The attack utilizes a complex delivery system involving WhatsApp automation, email hijacking, and deceptive PDF summons to spread malware like Casbaneiro and Horabot.
The cybercrime group known as Augmented Marauder or Water Saci has expanded its operations by utilizing a sophisticated delivery mechanism that spans both consumer and enterprise targets. By employing script-based automation for WhatsApp and an advanced email-hijacking engine, the group manages to penetrate security perimeters across multiple continents. Their strategy relies on a diverse range of social engineering tactics, including the recent ClickFix technique, to ensure their malicious payloads reach as many victims as possible.
The initial stage of the infection begins with a phishing email that mimics a formal court summons to trick recipients into interacting with a password-protected PDF. Once a user clicks the links within the document, a series of automated downloads occur, leading to the execution of interim scripts. These scripts are programmed to perform environment checks, specifically looking for antivirus software like Avast, before pulling more advanced loaders from a remote server to finalize the infection process.
At the core of the campaign are two primary malware families: Casbaneiro and Horabot. Casbaneiro serves as the main banking trojan designed to steal sensitive financial information, while Horabot acts as a powerful propagation tool. Once a system is compromised, the malware contacts a command-and-control server to receive instructions on how to use the victim's own Microsoft Outlook account to send out new batches of tailored phishing emails to their contact list.
Innovation is a key trait of this adversary, as seen in their move toward dynamic content generation rather than using static files. Instead of hardcoded links, the malware communicates with a remote API to generate unique, password-protected PDF summons for every new target. This approach, combined with tools specifically designed to hijack accounts from providers like Gmail and Yahoo, allows the threat actor to maintain a high rate of successful infections while bypassing traditional security filters.
The integration of WhatsApp-centric delivery chains with email-based attack paths demonstrates the agile nature of this threat actor. By maintaining a bifurcated infrastructure, they can simultaneously target retail users through mobile messaging and corporate entities through hijacked professional communications. This multifaceted approach ensures that even if one method of distribution is blocked, the group can continue to spread its banking trojans through alternative, highly automated channels.
Source: https://www.bluevoyant.com/blog/augmented-marauders-multi-pronged-casbaneiro-campaigns