A wave of attacks against companies in Columbia uses a trio of Remote Access Trojans (RATs) to steal confidential and sensitive data.
The campaign, dubbed Operation Spalax, was revealed by ESET researchers on Tuesday.
In a blog post, the cybersecurity firm said that the government and private entities in Columbia are being the exclusive target of threat actors, who appear to have a particular interest in the energy and metal industries.
ESET began tracking the ongoing campaign in the second half of 2020 when at least 24 IP addresses, likely compromised devices that act as proxies for the attackers' command and control (C2) servers, were linked to a series of attacks. .
To start the chain of infection against a target entity, threat actors use a traditional method: phishing emails. The topics of these fraudulent messages range from lawsuits to attend court hearings to bank account freeze warnings and notifications to take a mandatory COVID-19 test.
In some samples, agencies such as the Attorney General's Office (Attorney General's Office) and the National Tax and Customs Directorate (DIAN) were supplanted.
Every email has a .PDF file attached, linked to a .RAR file. If the victim downloads the package, located on OneDrive, MediaFire, and other hosting services, an executable file inside triggers the malware.
Threat actors use a selection of droppers and packers to deploy Trojan payloads, all of which are intended to run a RAT by injecting it into a legitimate process.
All three payloads are commercially available and have not been developed in-house by cyber attackers.
The first is Remcos, malware available on underground forums for as little as $ 58. The second RAT is njRAT, a Trojan recently discovered in campaigns using Pastebin as an alternative to C2 frameworks, and the third is AsyncRAT, an open source remote administration tool.
"There is no one-to-one relationship between eyedroppers and payloads, as we have seen different types of eyedroppers running the same payload and also a single type of eyedropper connected to different payloads," notes ESET. "However, we can say that the NSIS drippers mostly discard Remcos, while the Agent Tesla and AutoIt packers normally discard njRAT."
RATs can provide remote access control to threat actors and also contain modules for keylogging, screen capture, clipboard content collection, data exfiltration, and additional malware download and execution, among other functions.
According to ESET, there are no concrete clues to attribution, however there are some overlaps with APTC36, also known as Blind Eagle. This APT was connected to attacks in 2019 against Colombian entities in order to steal sensitive information.
The attacker's use of dynamic DNS services means that the campaign infrastructure is also constantly changing, with new domain names being registered for use against Colombian companies on a regular basis.
ESET also pointed to links to research conducted by Trend Micro in 2019. The phishing tactics are similar, but while the Trend Micro report relates to espionage and potentially the target of financial accounts, ESET has not detected any use of payloads beyond cyber espionage. However, the company acknowledges that some of the current campaign targets, including a lottery agency, do not seem to make logical sense for espionage activities alone.
The cybersecurity firm added that due to the large and changing infrastructure of this campaign, we should expect these attacks to continue in the region for the foreseeable future.