Latin American Users Beware, Fenix Cybercrime Group Impersonates Tax Authorities

In a concerning development in cybersecurity, a Mexico-based cybercrime group known as Fenix has recently emerged as a significant threat to tax-paying individuals in Mexico and Chile. Their main objective is to infiltrate targeted networks and pilfer valuable data.

One prominent aspect of their operation involves replicating the official portals of Mexico’s Servicio de Administración Tributaria (SAT) and Chile’s Servicio de Impuestos Internos (SII). They then redirect potential victims to these fraudulent sites.

A recent analysis conducted by security researchers Gerardo Corona and Julio Vidal from Metabase Q revealed that these fraudulent websites prompt users to download a purported security tool, falsely claiming that it will improve the safety of their portal navigation.

Unknown to the victims, the downloaded software installs the first stage of malware, allowing the cybercriminals to steal sensitive information, including login credentials.

As per the findings of the Latin America-focused cybersecurity firm, Fenix’s objective is to serve as an initial access broker, establishing entry points into various companies within the region. Subsequently, they sell this access to ransomware affiliates, who can further exploit it for monetary gain.

And based on the evidence collected so far, it appears that the threat actor has been coordinating phishing campaigns to coincide with government activities for at least a year, starting from the fourth quarter of 2022.

What Cyber criminals do is, when visitors arrive on the impersonated websites, they are encouraged to download software that allegedly protects their data while using the portal. Alternatively, users are enticed through phishing sites that are designed to make them download genuine apps like AnyDesk.

However, the truth is that the ZIP file, which supposedly contains the protective software, serves as a trigger to initiate an infection sequence. This sequence leads to the execution of a concealed PowerShell script that, in turn, loads and executes a .NET binary. After this process, a message in Spanish saying “Ahora se encuentra protegido” (translated as “Now you are protected”) is displayed to maintain the deception.

Afterwards, the .NET executable creates an opportunity for establishing persistence on the compromised host. It also initiates the deployment of botnet malware with the capability to execute commands received from a remote server. Additionally, the .NET executable loads a stealer module designed to extract credentials stored in web browsers and crypto wallets. Ultimately, it removes itself from the system to avoid detection.

Enjoyed reading this article? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.