Elastic Security Labs identified a new banking malware operation targeting Mexican financial institutions. The threat actors, tracked as REF6045, distribute SCMBANKER malware through ClickFix lures that impersonate legitimate CAPTCHA verification prompts.
The attack chain begins with fake CAPTCHA pages designed to appear authentic. Victims who interact with these pages receive instructions to execute malicious commands. The commands deploy a PowerShell toolkit that establishes persistence and enables credential theft on compromised systems.
SCMBANKER targets customers of Mexican banks, fintech platforms, payment processors, and cryptocurrency exchanges. The malware focuses on stealing banking credentials and session tokens. Once deployed, the toolkit collects sensitive financial data and enables threat actors to conduct unauthorized transactions or access accounts directly.
ClickFix represents an evolution in social engineering tactics. Rather than relying solely on phishing emails or malicious links, ClickFix lures present fake error messages or verification prompts that trick users into copying and pasting commands into PowerShell or terminal windows. This bypasses some email filtering and endpoint protections designed to block executable files.
The operation demonstrates a shift toward targeting regional financial ecosystems. Mexico's growing fintech sector and high cryptocurrency adoption rates make the region attractive for banking trojans. The use of localized lures increases effectiveness against Spanish-speaking users who may not recognize spoofed interfaces.
Organizations in Mexico's financial sector should implement browser isolation for high-risk activities and deploy endpoint detection focused on PowerShell execution patterns. Users should verify CAPTCHA prompts through official banking applications rather than browser pop-ups, and avoid copying commands from untrusted sources into terminals or PowerShell.
Elastic Security Labs recommends monitoring for suspicious PowerShell script execution, particularly scripts launched from browser processes or temporary directories. Financial institutions should update fraud detection systems to identify unusual login patterns from compromised credentials.
