Colombian healthcare and financial institutions, as well as government entities, were the primary target in this spam campaign that was recently discovered. The campaign deploys malware by the name of Proyecto RAT written in Visual Basic 6. Potential victims received emails that had malicious RTF files attached to them. Some of the emails received stated “Hemos iniciado un proceso en su contra por violencia laboral.” (Loosely translates to “We have filed a lawsuit against you for workplace violence.”) “Se hara efectivo un embargo a su(s) cuenta(s) Bancarias.” (Loosely translates to “Your banking accounts are going to be blocked.”) “Almacenes exito te obsequia una tarjeta regalo virtual por valor de $500.000.” (Loosely translates to “Exito shops offer you a virtual gift worth $500.000.”) Macros contained in the files would then download the malware when enabled. Imminent Monitor was used as the main payload which then downloaded and executed the Proyecto RAT payload. The attackers used a C2 URL address from YOPmail as their command-and-control server. Proyecto RAT shares similarities with the known Xpert RAT. Researchers’ comments pertaining to this stated, “Seeing the many features of the malware, we tried to match it to a known RAT. The communication between client and server is via TCP, is unencrypted, and uses pipe ‘|’ characters and ‘¡@#@!’ as a separator. This description fits quite well with Xpert RAT. Searching for the x86 hex string from cTimer class also leads to links with Xpert RAT.” While the campaign predominantly targeted Colombian operations, other countries in South America along with the United States, a small number of European countries, and Australia could have been affected as well.
Analyst Notes
Since the main method of delivery is through spam emails, users should be cautious when receiving any email from an unverified sender that entices them to open the attachment. If emails of this nature are received, users should not open the attachment before validating the source.
