Researchers at ESET have revealed a new campaign which has been dubbed Operation Spalax, which is targeting government and private entities in Columbia. The campaign’s main focus is to steal confidential and sensitive data through the use of three different Remote Access Trojans (RATs). The threat actors behind the attack appear to have a specific interest in the energy and metallurgical industries. The attacks have been ongoing since the second half of 2020 and were discovered when at least 24 IP addresses were linked to a spate of attacks. The infections begin with phishing emails that use lures ranging from mandated court appearances, credit freezes, and mandatory COVID-19 testing. Each email has a .PDF file attachment that contains an internal link to a .RAR file. If downloaded, an executable file located on OneDrive, MediaFire, and other hosting services triggers the malware download. Trojan payloads evade detection by anti-virus using droppers and packers and are injected into legitimate processes. All of the RATs were not developed by the threat actors and could be purchased on underground forums. The RATs provide the attackers with remote access, keylogging, screen capture, clipboard content harvesting, data exfiltration, and the ability to download and execute additional malware.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased