Ethical Hacking News
A recent phishing campaign exploiting AI-powered website building tools has targeted users in Brazil and around the world, with 5,015 victims reported. The malicious websites, designed to mimic Brazilian government agencies, aim to steal cryptocurrency wallets by making users submit sensitive information and paying a fee through the PIX payment system.
Sophisticated phishing campaigns using generative AI tools have been on the rise, with scammers creating replica websites mimicking Brazilian government agencies. The AI-powered website building tools DeepSite AI and BlackBox AI were exploited to build lookalike sites imitating Brazil's State Department of Traffic and Ministry of Education. The phishing pages employ artificial intelligence to make their designs appear authentic, and utilize SEO poisoning techniques to increase their visibility. The attackers used a mix of legitimate and custom-made components to build their phishing sites, including signatures of generative AI tools in the source code. The end goal is to collect sensitive personal information from victims, including CPF numbers, Brazilian taxpayer identification numbers, and cryptocurrency wallet addresses. Another malware component, "controller.js," replaces cryptocurrency wallet addresses with the attacker's wallet address and captures screenshots. A new version of Efimer incorporates anti-VM features and scans web browsers for cryptocurrency wallet extensions. The campaign impacted 5,015 users across multiple countries, with the primary goal of stealing cryptocurrency wallets. A mass mailing campaign impersonating lawyers has been reported, delivering the Efimer Trojan to compromise WordPress sites and distribute spam.
The cybersecurity landscape has recently witnessed a surge in sophisticated phishing campaigns, largely attributed to the use of generative artificial intelligence (AI) tools. A recent report by Zscaler has revealed that these AI-powered website building tools have been exploited by scammers to create replica phishing pages mimicking Brazilian government agencies.
In this scheme, DeepSite AI and BlackBox AI were employed to build lookalike sites imitating Brazil's State Department of Traffic and Ministry of Education. These malicious websites are designed to trick unsuspecting users into making unwarranted payments through the country's PIX payment system. The phishing pages employ artificial intelligence to make their designs appear authentic, thereby increasing their chances of success.
Furthermore, these websites artificially boost their visibility by utilizing search engine optimization (SEO) poisoning techniques. This increases the likelihood of users falling prey to the scam and makes it more difficult for cybersecurity researchers to identify such scams.
The source code analysis performed on these phishing pages reveals signatures of generative AI tools, including overly explanatory comments meant to guide developers, non-functional elements that typically work on authentic websites, and trends like TailwindCSS styling. This suggests that the attackers used a mix of legitimate and custom-made components to build their phishing sites.
The end goal of the attacks is to collect sensitive personal information from victims, including Cadastro de Pessoas FĂsicas (CPF) numbers, Brazilian taxpayer identification numbers, residential addresses, and convincing them to make a one-time payment of 87.40 reals ($16). The attackers use this information to validate it on the backend by means of an API created by the threat actor.
The phishing pages also employ staged data collection behavior, mirroring the behavior of authentic websites. This makes it more difficult for users to distinguish between legitimate and malicious sites. In addition, the collected CPF numbers are validated using an API that retrieves data associated with the number and automatically populates the phishing page with information linked to the CPF.
Another malware component identified in the attack chain is a clipper malware called "controller.js." This malware replaces cryptocurrency wallet addresses copied by users to their clipboard with the attacker's wallet address. It can also capture screenshots, execute additional payloads received from the C2 server, and connect over the TOR network after installing a TOR proxy client on the infected computer.
Moreover, Kaspersky recently discovered another version of Efimer that incorporates anti-VM features and scans web browsers like Google Chrome and Brave for cryptocurrency wallet extensions related to Atomic, Electrum, and Exodus. The malware exfiltrates the results of these searches back to its C2 server.
The campaign is estimated to have impacted 5,015 users across Brazil, India, Spain, Russia, Italy, Germany, the U.K., Canada, France, and Portugal. The primary goal of this scam was to steal cryptocurrency wallets, but it can also compromise WordPress sites and distribute spam, thereby establishing a complete malicious infrastructure.
In an additional development, Brazilian cybersecurity firm Kaspersky has reported another mass mailing campaign impersonating lawyers from a major company to deliver the Efimer Trojan. This malware is used to steal cryptocurrency, while also spreading via infected WordPress websites.
According to researchers Vladimir Gursky and Artem Ushkov at Kaspersky, these emails falsely claimed that the recipient's domain name infringed on the sender's rights. The script included additional functionality that helped attackers spread it further by compromising WordPress sites and hosting malicious files there.
The malware can extend its capabilities with additional scripts that can brute-force passwords for WordPress sites and harvest email addresses from specified websites for future email campaigns. The script receives domains from its C2 server, iterates through each one to find hyperlinks and email addresses on the website pages, and serves as a spam module engineered to fill out contact forms on target websites.
Furthermore, the malware contains ZIP archives containing another password-protected archive and an empty file with a name specifying the password to open it. The present within the second ZIP file is a malicious Windows Script File (WSF) that, when launched, infects the machine with Efimer.
At the same time, the victim is displayed an error message stating the document cannot be opened on their device as a distraction mechanism. In reality, the WSF script saves two other files ("controller.js" and "controller.xml") and creates a scheduled task on the host using configuration extracted from "controller.xml."
Related Information:
https://www.ethicalhackingnews.com/articles/Ai-Generated-Phishing-Pages-Fuel-Brazilian-Scam-as-Efimer-Trojan-Steals-16-from-5000-Victims-ehn.shtml
https://thehackernews.com/2025/08/ai-tools-fuel-brazilian-phishing-scam.html
Published: Fri Aug 8 12:33:52 2025 by llama3.2 3B Q4_K_M
