Full Report
Malicious campaign impersonating Mexican government site
Analysis Summary
# Incident Report: Impersonation of Mexican Government Site Leading to Credential Theft
## Executive Summary
Threat actors created a malicious website impersonating a legitimate Mexican government site related to social security payments to distribute malware via a drive-by download. Upon execution, the script silently installed malware that manipulated the registry, used headless browser techniques to evade detection, and stole session cookies/information from Chrome and Edge browsers before communicating with the Command and Control (C2) server.
## Incident Details
- Discovery Date: Not explicitly stated, but inferred shortly before October 16, 2025 (publication date).
- Incident Date: Malicious site created approximately seven months prior to October 16, 2025.
- Affected Organization: Users accessing Mexican Social Security/Employer Contribution services.
- Sector: Government Services / Finance (Social Security).
- Geography: Mexico (Implied by the target website).
## Timeline of Events
### Initial Access
- Date/Time: Unknown, active for ~7 months prior to reporting.
- Vector: Drive-by download via a look-alike website impersonating a Mexican government service (SUA system for employer-employee contributions).
- Details: Users were tricked into downloading a malicious JavaScript file.
### Lateral Movement
- Not explicitly detailed, but the execution involved persistence mechanisms (registry manipulation).
### Data Exfiltration/Impact
- Stole session cookies and other information from web browsers (Chrome & Edge).
- Communicated with the C2 server to report infection and receive a unique ID.
### Detection & Response
- Detection: Analysis of the threat actor's activities and C2 communication (implied by the intelligence report structure).
- Response actions taken: Not explicitly detailed, but analysis of the C2 domain and malware was performed.
## Attack Methodology
- Initial Access: Drive-by Download via website spoofing (`instalasua.com` elements redirecting to original sites).
- Persistence: Manipulation of registry keys.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: Use of headless browser mode to run silently and avoid detection.
- Credential Access: Stealing session cookies and other identifying information from web browsers (Chrome & Edge).
- Discovery: Not explicitly detailed (assumed standard web reconnaissance for site creation).
- Lateral Movement: Not explicitly detailed.
- Collection: Gathering session cookies and web browser information.
- Exfiltration: Communication established with the C2 server (`extensioninstaller.onrender[.]com`).
- Impact: Loss of browser session data and potential account takeover.
## Impact Assessment
- Financial: Not estimated.
- Data Breach: Session cookies and sensitive browser information from compromised user machines.
- Operational: Potential disruption to users attempting to access legitimate government services, leading to fraudulent actions.
- Reputational: Harm to the reputation of the targeted Mexican government service authority.
## Indicators of Compromise
- Network indicators: `extensioninstaller.onrender[.]com`
- File indicators: Malicious JavaScript file download (associated with SUA installation).
- Behavioral indicators: Registry key manipulation, use of headless browser automation, communication with suspicious C2 domain.
## Response Actions
- Containment measures: Not explicitly detailed, likely involving blocking the C2 domain and taking down the spoofed website.
- Eradication steps: Not explicitly detailed, but would require reviewing user endpoints for registry changes and removing associated files.
- Recovery actions: Not explicitly detailed, likely involving user password resets and clearing browser data.
## Lessons Learned
- The effectiveness of sophisticated social engineering (impersonating critical government infrastructure) combined with technical evasion methods (headless browser).
- The malicious site maintained functionality for approximately seven months without being flagged as malicious, indicating a gap in proactive threat monitoring for government-related lookalike domains.
## Recommendations
- Implement robust domain monitoring and proactive takedown procedures for lookalike domains targeting critical government services.
- Enhance user security training to specifically address drive-by downloads and the verification of official government sources, especially for sensitive tasks like tax/security contributions.
- Deploy endpoint detection and response (EDR) solutions capable of detecting suspicious registry changes and headless browser activity.