Summary: A sophisticated phishing campaign is targeting users in the Latin America (LATAM) region, utilizing a multi-layered approach to deceive victims into compromising sensitive information. The attack leverages trusted services like Google to create a seemingly legitimate environment for delivering malicious payloads.
Threat Actor: Cybercriminals | cybercriminals
Victim: Users in LATAM | users in LATAM
Key Point :
- The phishing attack begins with an email containing a password and a link to a fake “security check” page hosted on a trusted Google domain.
- The page offers a download link for a password-protected file, which is harder for automated security systems to scan, allowing the attackers to bypass many security filters.
- Once the file is opened, it can execute harmful programs that steal data or install additional malware on the victim’s computer.
- ANY.RUN’s TI Lookup tool can help track and analyze similar phishing campaigns, providing insights into attack behaviors and techniques.
- Phishing attacks are evolving, emphasizing the need for advanced tools to uncover and understand threats as they develop.
A sophisticated phishing campaign is currently targeting users in the Latin America (LATAM) region. Cybercriminals are employing a multi-layered approach to bypass security measures and deceive victims into compromising sensitive information.
The attack starts with an email that contains a password and a link to a supposed “security check.”
Clicking the link takes the victim to a page hosted on a trusted Google domain. This makes the site look legitimate.
The page offers a download link for a password-protected file. These files are harder for automated security systems to scan.
Because the file is hosted on a trusted domain and password-protected, it bypasses many security filters, making it easier for the attackers to deliver their malicious payload.
For a detailed look at this phishing attack, visit this ANY.RUN sandbox session and see the entire process unfold.
This phishing attack is tricky because it uses trusted services like Google to make the victim believe everything is safe. The password-protected file also helps it slip past security tools, making it more likely that users will fall for it.
Once the file is opened, it can run harmful programs on the victim’s computer, stealing data or installing more malware.
ANY.RUN’s TI Lookup is a powerful tool for tracking and analyzing phishing campaigns like the one currently targeting LATAM. By using the right search query, you can find sandbox sessions that reveal detailed attack behaviors, making it easier to understand and stop these threats.
For phishing attacks similar to the one outlined above, the following query is useful:
submissionCountry:“Co” AND commandLine:“OUTLOOK.EXE” AND commandLine:“WinRAR” AND threatLevel:“malicious”
By running this search, you can quickly identify more examples of attacks and see how threat actors operate — whether they use the same techniques, file types, or delivery methods.
Thanks to TI Lookup’s integration with ANY.RUN’s sandbox, you can easily explore each sample in detail, see how it interacts with the system, and even rerun its analysis.
Try ANY.RUN TI Lookup for free with a 14-day trial — don’t miss the opportunity to explore the tool’s capabilities and improve your defenses against phishing attacks.
Phishing attacks are evolving, with threat actors continually finding new ways to exploit trusted domains and bypass security measures. This phishing campaign targeting LATAM users underscores the importance of using advanced tools like ANY.RUN’s interactive sandbox to uncover and understand threats as they unfold. By analyzing live attacks, you gain insights into malicious techniques and can better protect yourself and your organization from falling prey to similar schemes.
Source: https://securityonline.info/ongoing-phishing-attack-in-latam-region