A sophisticated malware operation named SCMBANKER, identified by Elastic Security Labs as REF6045, has emerged as a significant threat to Mexican financial institutions. This operation employs ClickFix tactics, affecting banks, fintech companies, payment processors, and cryptocurrency exchanges across Mexico.
Understanding the SCMBANKER Tactics
The SCMBANKER malware infiltrates systems through deceptive CAPTCHA verification pages that trick users into running malicious commands. These commands install a PowerShell toolkit known as SCMBANKER, which has components dating back to October 2025. Security experts Jia Yu Chan and Salim Bitam report that this malware can manipulate banking sessions, lock screens, and even redirect browsers to exploit victims further.
Capabilities and Technical Insights
SCMBANKER is tailored to exploit Mexico’s financial landscape, with evidence suggesting the use of a large language model in its development. Its capabilities include monitoring banking sessions, capturing screenshots, and executing phishing redirects. Additionally, the toolkit can hijack clipboards and install Remote Utilities for deeper system access.
The operation’s exposure was due to a security lapse, allowing researchers to access a ZIP archive containing the full web root directory of the attackers. The initial phase involves a fake CAPTCHA page that misleads users into executing a malicious command, triggering a multi-stage malware installation process.
Installation and Persistence Mechanisms
The malware installation begins with a batch script that simulates a Windows update screen to distract the user. It checks for administrative privileges and prompts the user every 20 seconds until consent is given, locking mouse movement in the process. This distraction facilitates the complete installation of the toolset using the bitsadmin tool.
Once installed, SCMBANKER achieves persistence through the Windows Startup folder and a Registry Run key. It then executes a series of scripts for various functions, including banking activity monitoring and phishing redirects. The malware’s infrastructure supports real-time victim tracking and interaction through a live dashboard.
Impact and Future Outlook
Elastic Security Labs’ findings underscore the threat posed by SCMBANKER, particularly its use of AI for tool development and operational security mishaps. Despite its crude nature, the malware has real victims, actively targeting individuals through sophisticated tactics.
As the threat landscape evolves, financial institutions must remain vigilant and enhance their cybersecurity measures to mitigate risks associated with such malware operations. The ongoing battle against cyber threats like SCMBANKER highlights the critical need for robust security protocols and continuous monitoring.
