A sophisticated cybercriminal campaign is actively targeting customers of Mexican financial institutions, including banks, fintech companies, payment processors, and cryptocurrency exchanges. The attackers employ deceptive ClickFix lures to trick users into executing malicious commands that install a PowerShell-based toolkit known as SCMBANKER.
ClickFix is a social engineering technique where users are misled into copying and executing malicious scripts under the guise of resolving non-existent issues. In this campaign, victims encounter fake CAPTCHA verification pages that prompt them to run a command, initiating the malware installation process.
Once installed, SCMBANKER provides attackers with extensive control over the compromised system. Its capabilities include monitoring banking sessions, capturing screenshots, displaying fake banking alerts to facilitate vishing attacks, redirecting browsers to phishing sites, manipulating clipboard data to alter account numbers, and deploying remote access tools for full system control.
Notably, a significant portion of SCMBANKER’s code appears to have been generated using large language models (LLMs), indicating a trend where cybercriminals leverage advanced AI tools to develop malware. This approach allows for rapid development and adaptation of malicious software.
The infection process begins with a counterfeit CAPTCHA page that mimics Google’s reCAPTCHA, instructing users to identify specific images. After completing this step, victims are directed to copy and paste a command into the Windows Run dialog box. Executing this command initiates a batch script that simulates a Windows update screen to distract the user while the malware installs in the background.
The batch script checks for administrative privileges and, if not granted, repeatedly prompts the user with User Account Control (UAC) dialogs until consent is obtained. Once administrative access is secured, the script locks mouse movement and downloads the full SCMBANKER toolkit using the bitsadmin utility. Persistence is established through the Windows Startup folder and registry keys, ensuring the malware remains active after system reboots.
SCMBANKER’s design and deployment underscore the evolving sophistication of cyber threats targeting the financial sector. The use of AI-generated code and advanced social engineering tactics like ClickFix highlight the need for enhanced cybersecurity measures and user awareness to mitigate such risks.
As cybercriminals continue to refine their methods, it is imperative for financial institutions and their customers to remain vigilant. Implementing robust security protocols, educating users about emerging threats, and adopting advanced detection systems are crucial steps in defending against these increasingly sophisticated attacks.