TimbreStealer Malware Campaign Uncovered with Over 19,000 Artifacts

A comprehensive investigation into a sophisticated malware distribution campaign targeting Mexico has led to the discovery of an extensive network of over 19,000 artifacts connected to the TimbreStealer malware. The initial indicators of compromise (IoCs), which included four domains, 24 IP addresses, and 124 subdomains, were significantly expanded upon by researchers who delved into WHOIS records, IP geolocation data, and string usage patterns.

The TimbreStealer malware, identified by Cisco Talos, has been distributed through a phishing campaign that utilizes finance-themed emails. These deceptive messages include generic fake invoices and those mimicking the Comprobante Fiscal Digital por Internet (CDFI), Mexico’s standard electronic invoice format. The malware is noted for its use of obfuscation techniques, which allow it to evade detection and maintain a persistent presence on infected devices.

The research team’s efforts to trace the malware’s infrastructure began with the analysis of WHOIS details for the four domains initially tagged as IoCs. This led to the identification of 52 email addresses in historical WHOIS records, 12 of which were public. Further investigation using Reverse WHOIS API linked these public email addresses to the current WHOIS records of 806 domains.

Additionally, domain searches using text strings from the domain IoCs and the root domains of the subdomain IoCs uncovered 452 string-connected domains that were added between January 1, 2023, and March 4, 2024. These domains were found to start with specific text strings that were associated with malware and phishing activities.

The Threat Intelligence API also indicated that some of the string-connected web resources were involved in malicious activities. The research team has made a sample of the additional artifacts obtained from their analysis available for download on their website, providing valuable resources for further investigation and defense against the TimbreStealer malware.

This extensive network of connected artifacts, including 12 public email addresses, 111 email-connected domains, 11 additional IP addresses, 38 IP-connected domains, and 18,798 string-connected subdomains, represents a significant cybersecurity threat. The findings underscore the importance of vigilance and the need for robust security measures to protect against sophisticated phishing campaigns and malware attacks.


Scroll to Top