Experts Uncover Malware Attacks Against Colombian Government and Companies

  • Cybersecurity scientists took the wraps off an ongoing surveillance campaign directed versus Colombian federal government establishments and private companies in the electricity and metallurgical industries.

    In a report posted by ESET on Tuesday, the Slovak internet security organization claimed the attacks — dubbed “Operation Spalax” — started in 2020, with the modus operandi sharing some similarities to an APT group focusing on the country given that at minimum April 2018, but also diverse in other means.

    The overlaps appear in the kind of phishing emails, which have identical matters and fake to arrive from some of the very same entities that were being made use of in a February 2019 procedure disclosed by QiAnXin scientists, and subdomain names made use of for command-and-management (C2) servers.

    Having said that, the two campaigns diverge in the attachments made use of for phishing e-mail, the remote access trojans (RATs) deployed, and the C2 infrastructure employed to fetch the malware dropped.

    The attack chain starts with the targets obtaining phishing e-mail that guide to the down load of destructive documents, which are RAR archives hosted on OneDrive or MediaFire containing several droppers responsible for decrypting and managing RATs these as Remcos, njRAT, and AsyncRAT on a victimized computer.

    The phishing emails cover a extensive array of subjects, which includes individuals about driving infractions, show up at court hearings, and consider mandatory COVID-19 checks, therefore escalating the probability that unsuspecting people will open the messages.

    In an alternate scenario observed by ESET, the attackers were also observed to use greatly obfuscated AutoIt droppers that applied shellcode to decrypt the payload and a further to inject it into an presently functioning system.

    The RATs not only arrive with capabilities for remote command but also to spy on targets by capturing keystrokes, recording screenshots, thieving clipboard details, exfiltrating sensitive files, and even downloading and executing other malware.

    ESET’s assessment also uncovered a scalable C2 architecture operated working with a Dynamic DNS assistance that permitted them to dynamically assign a area identify to an IP address from a pool of 70 different domain names and 24 IP addresses in the second fifty percent of 2020 on your own.

    “Specific malware attacks in opposition to Colombian entities have been scaled up considering the fact that the campaigns that were being explained past 12 months,” the scientists concluded. “The landscape has altered from a marketing campaign that had a handful of C2 servers and area names to a campaign with quite huge and quickly-switching infrastructure with hundreds of area names employed considering that 2019.”

    Located this post exciting? Adhere to THN on Fb, Twitter  and LinkedIn to read far more exceptional content material we write-up.