Specialists of cybersecurity company ESET have uncovered a cybercriminal campaign, in which hackers attack the energy and metallurgical industries in Colombia. However, this is not the only targe of cybercriminals and they carry out cyberattacks on government and private organizations in Colombia.
ESET researchers began tracking a malicious campaign named Operation Spalax, which still continues, in the second half of 2020, when they managed to associate at least 24 IP addresses with a wave of attacks against Colombian businesses. These IP addresses most likely belong to compromised devices used by hackers as proxies for C&C servers.“The attack on the target organization begins in the traditional way – by sending it a phishing email. The subject lines of the letters range from subpoenas to blocking bank accounts and requests to pass a mandatory coronavirus test. In some cases, letters were sent on behalf of the Attorney General’s Office or the National Directorate of Taxes and Customs”, – say ESET experts.
The letters contain a PDF file with a link to the RAR archive. If the victim downloads an archive hosted on OneDrive, MediaFire, or other cloud storage, the file it contains launches malware. To deploy malware, hackers use a large arsenal of downloaders and packers that execute a Remote Access Trojan (RAT) by injecting it into a legitimate process.
“In total, the malicious campaign uses three RAT Trojans. They are all sold on the black market and were not created by the organizers of Operation Spalax”, – told in ESET.
The first Trojan, Remcos, can be purchased from a cybercrime forum for as little as $58.
The second, njRAT, is known for using Pastebin instead of C&C infrastructure. The third Trojan is the open source remote administration tool AsyncRAT. The experts did not identify any special linkage between downloaders and trojans, but noted that NSIS most often downloads the Remcos Trojan, while Agent Tesla and AutoIt packers download njRAT.
Researchers also did not find enough clues to identify cybercriminals.
However, they found some references to the APTC36 group, also known as the Blind Eagle. In 2019, this APT group carried out cyberattacks against Colombian organizations in order to steal confidential information.
Let me remind you about the fact that Cybercriminals use the popular RAT Orcus and Revenge to attack governmental organizations, as well as that for attacking government networks, hackers combine Zerologon problem with VPN vulnerabilities.