Campaigns
Casbaneiro Phishing Campaign

Casbaneiro Phishing Campaign

PhishingBanking TrojanCasbaneiroHorabotAugmented MarauderWater Saci
BlueVoyant researchers have uncovered a broad, multi-pronged phishing campaign targeting Spanish-speaking users in organizations across Latin America and Europe. The campaign, attributed to the Brazil-based eCrime group Augmented Marauder (a.k.a. Water Saci), employs a bespoke delivery and propagation mechanism that includes WhatsApp, ClickFix techniques, and email-centric phishing. The campaign deploys Horabot to deliver the Casbaneiro (a.k.a. Metamorfo) banking trojan through a comprehensive phishing operation.

Indicators of Compromise

grupobedfs.com
factu.it.com
facturastbs.shop

APT Groups1

Water SaciBR
Augmented Marauder

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

DETECTION

DET0146 - Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns


Analytics

AN0411

Adversary spawns command-line tools (e.g., del, cipher /w, SDelete) or scripts to recursively delete or overwrite user/system files. This may be correlated with abnormal file IO activity, registry writes, or tampering in critical system directories.

Log Sources

Data Component

Name

Channel

Process Creation (DC0032)

WinEventLog:Sysmon

EventCode=1

File Creation (DC0039)

WinEventLog:Sysmon

EventCode=11

File Deletion (DC0040)

WinEventLog:Sysmon

EventCode=23

Mutable Elements

Field

Description

TargetFilename

Filter file deletion activity to sensitive locations (e.g., %System32%, Documents, DB paths).

ProcessCommandLine

Tune for aggressive overwrite flags (e.g., /w, /q, /s) or temp file overwrites.

VolumeThreshold

Threshold of unique file deletions or modifications within time window.

TimeWindow

Correlate rapid file delete/overwrite behavior from same process/user.


DET0249 - Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes


Analytics

AN0693

Remote/API driven creation and start of a container whose image is not on an allow‑list (or is tagged latest), executed by a non-admin principal, and/or started with risky runtime attributes (e.g., --privileged, host PID/NET namespaces, sensitive host path mounts, capability adds). Correlates create ➜ start ➜ first network/process actions from that container within a short time window.

Log Sources

Data Component

Name

Channel

Application Log Content (DC0038)

docker:daemon

container_create,container_start

Container Start (DC0077)

containerd:runtime

CRI CreateContainer/StartContainer with privileged=true OR added capabilities OR host* namespaces

Process Creation (DC0032)

ebpf:syscalls

process execution or network connect from just-created container PID namespace

Network Traffic Content (DC0085)

docker:events

remote API calls to /containers/create or /containers/{id}/start

Mutable Elements

Field

Description

known_images

Environment-specific allow-list of approved images (with digests).

known_admins

Service accounts or CI/CD users permitted to deploy containers.

TimeWindow

Max time between create, start, and first activity to consider events causally linked (default 5m).

RiskThreshold

Minimum number of risky attributes (e.g., unknown image + privileged) to alert.

PrivilegedFlags

Set of runtime flags considered high risk (e.g., --privileged, --cap-add=SYS_ADMIN, hostPID, hostNetwork, /var/run/docker.sock mount).


DET0309 - Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly)

AN0862

Adversary ships a tampered application or update: an updater/installer (msiexec/setup/update.exe/vendor service) writes or replaces binaries; on first run it spawns scripts/shells or unsigned DLLs and beacons to non-approved update CDNs/hosts. Detection correlates: (1) process creation of installer/updater → (2) file metadata changes in program paths → (3) first-run children and module/signature anomalies → (4) outbound connections to unexpected hosts within a short window.

Log Sources

Data Component

Name

Channel

Process Creation (DC0032)

WinEventLog:Sysmon

EventCode=1

Driver Load (DC0079)

WinEventLog:Sysmon

EventCode=6

Module Load (DC0016)

WinEventLog:Sysmon

EventCode=7

File Creation (DC0039)

WinEventLog:Sysmon

EventCode=11

Windows Registry Key Modification (DC0063)

WinEventLog:Sysmon

EventCode=13, 14

Network Connection Creation (DC0082)

WinEventLog:Sysmon

EventCode=3, 22

File Metadata (DC0059)

WinEventLog:Microsoft-Windows-CodeIntegrity/Operational

Unsigned or invalid image for newly installed/updated binaries

Network Traffic Flow (DC0078)

NSM:Flow

First-time egress to non-approved update hosts right after install/update

Mutable Elements

Field

Description

TimeWindow

Correlate write→first-run→egress (default 90 minutes).

ApprovedUpdateHosts

Allow-list of vendor update endpoints, enterprise proxy/cache.

ApprovedSigners

Code-signing publishers allowed for programs/services.

ProgramPaths

Monitored install locations (e.g., C:\Program Files, C:\ProgramData, %LOCALAPPDATA%).


Observed Countries21

AR (583)
BO (482)
BR (652)
CL (124)
CO (735)
CR (316)
CU (442)
DM (564)
EC (695)
ES (888)
GT (346)
HN (357)
HT (12)
MX (391)
NI (805)
PA (838)
PE (501)
PY (465)
SV (435)
UY (441)
VE (955)