Experts Uncover Malware Attacks Against Colombian Government and Companies
Cybersecurity researchers took the wrapper from an ongoing surveillance campaign directed against Colombian government institutions and private companies in the energy and metallurgical industries.
In a report published by ESET on Tuesday, the Slovak internet security firm said the attack — dubbed “Operation Spalax” — began in 2020, with the modus operandi sharing some similarities with the APT group targeting the country since at least April 2018, but also different from another way.
The overlap comes in the form of a phishing email, which is of a similar topic and pretends to be from some of the same entities used in the February 2019 operation that QiAnXin researchers disclosed, and the name of the subdomain used for the command and control (C2) server.
However, two campaigns straying in the attachments used for phishing emails, the remote access trojan (RAT) being used, and the C2 infrastructure used to retrieve the malware have been removed.
The chain of attacks begins with the target receiving phishing emails leading to malicious file downloads, i.e. RAR archives hosted on OneDrive or MediaFire containing various droppers that are responsible for decrypting and running RATs such as Remcos, njRAT, and AsyncRAT on the victim’s computer.
Phishing emails cover a wide range of topics, including about driving offenses, attending court hearings and taking the mandatory COVID-19 test, increasing the likelihood that unsuspecting users will open the message.
In the alternative scenario ESET observes, attackers are also found to be using a highly obfuscated AutoIt dropper that uses a shellcode to decrypt the payload and another to inject it into an already running process.
RAT is not only equipped with the ability for remote control but also to spy on targets by capturing keystrokes, recording screenshots, stealing clipboard data, extracting sensitive documents, and even downloading and running other malware.
ESET’s analysis also revealed a scalable C2 architecture that operates using a Dynamic DNS service which allows them to dynamically assign domain names to IP addresses from a pool of 70 different domain names and 24 IP addresses in the second half of 2020 alone.
“Targeted malware attacks against Colombian entities have intensified since the campaign described last year,” the researchers concluded. “The landscape has changed from a campaign having multiple C2 servers and domain names to a campaign with a huge, fast-changing infrastructure with hundreds of domain names in use since 2019.”
read more :