Researchers at ESET have revealed a new campaign which has been dubbed Operation Spalax, which is targeting government and private entities in Columbia. The campaign’s main focus is to steal confidential and sensitive data through the use of three different Remote Access Trojans (RATs). The threat actors behind the attack appear to have a specific interest in the energy and metallurgical industries. The attacks have been ongoing since the second half of 2020 and were discovered when at least 24 IP addresses were linked to a spate of attacks. The infections begin with phishing emails that use lures ranging from mandated court appearances, credit freezes, and mandatory COVID-19 testing. Each email has a .PDF file attachment that contains an internal link to a .RAR file. If downloaded, an executable file located on OneDrive, MediaFire, and other hosting services triggers the malware download. Trojan payloads evade detection by anti-virus using droppers and packers and are injected into legitimate processes. All of the RATs were not developed by the threat actors and could be purchased on underground forums. The RATs provide the attackers with remote access, keylogging, screen capture, clipboard content harvesting, data exfiltration, and the ability to download and execute additional malware.
The attackers use dynamic DNS, which means that the infrastructure is constantly changing with domains quickly resolving to new IP addresses and new domains being registered for use against Columbian companies. No specific attribution has been made to the attack but researchers at ESET stated they saw overlaps to APTC36, which was connected to attacks in 2019 targeting Columbian entities. Employee training is crucial in instances such as these attacks where the initial attack begins with a phishing campaign. Companies should also utilize a service such as Binary Defense’s Managed Detection and Response service to monitor endpoints for any abnormal activity and identify attacks early before they can cause damage.
More can be read here: https://www.zdnet.com/article/colombian-energy-metal-firms-under-fire-from-new-trojan-attack-wave/