How the Attack Unfolds
A new fraud campaign targeting customers of Mexican financial institutions uses fake Google verification pages to deliver the SCMBANKER malware toolkit. Researchers at Elastic Security Labs, tracking the operation as REF6045, found that victims are tricked into copying and running a malicious command from a fake CAPTCHA or verification page. The page displays Spanish language prompts with fabricated Google security branding. Once executed, the command launches a script that downloads the malware toolkit into the victim’s public user directory while displaying a fake Windows Update screen to keep the user occupied.
The infection chain requires user interaction, as victims must manually approve the command and grant administrator privileges. After installation, the toolkit monitors open windows for banking and financial service names, alerting the human operator when a useful session is detected. The operator then decides how to escalate the attack based on the victim’s activity.
Impact and Operator Capabilities
The SCMBANKER toolkit gives attackers extensive control over infected machines. Operators can capture screenshots, redirect browsers to phishing pages, replace copied payment details in the clipboard, lock the screen with fake warnings, and deploy a remote access tool for full hands on control. The campaign targets a wide range of Mexican financial services including retail banks, business banking portals, fintech platforms, payment processors, cryptocurrency exchanges, investment services, tax systems, and telecom providers.
Elastic found that parts of the malware code appear to have been generated by large language models, lowering the technical barrier for attackers. The campaign’s infrastructure showed poor security practices such as open directories and exposed configuration files. Defenders should monitor for suspicious PowerShell activity, bitsadmin downloads, and scripts launched from unusual directories. User education remains critical since the attack only succeeds when victims trust and execute the fake prompt.
Source: Cyber Security News
