Security researchers have discovered an ongoing surveillance campaign targeted against Colombian government institutions and private companies in the energy and metallurgical industries.
ESET has published a report in which the Slovak internet security company said that the attacks dubbed as “Operation Spalax” started in 2020, has the modus operandi having similarities to an APT group targeting the country since at least April 2018, but also different in other ways.
The overlaps came in the form of phishing emails, having similar topics and pretend to come from some of the same entities that were used in a February 2019 operation disclosed by QiAnXin researchers, and subdomain names used for command-and-control (C2) servers.
However, the two campaigns differ in the attachments used for phishing emails, the remote access trojans (RATs) deployed, and the C2 infrastructure employed to fetch the malware dropped.
The targets receive phishing emails leading to downloading malicious files, which are RAR archives hosted on OneDrive or MediaFire containing various droppers responsible for decrypting and running RATs such as Remcos, njRAT, and AsyncRAT on a victimized computer.
The phishing emails include various topics, such as those about driving infractions, attend court hearings, and take mandatory COVID-19 tests. So, an unsuspecting user might open the messages.
ESET also found an alternate scenario where the threat actors used heavily obfuscated AutoIt droppers that used shellcode to decrypt the payload and another to inject it into an already running process.
The RATs have the capabilities for remote control and also to spy on targets by capturing keystrokes, recording screenshots, stealing clipboard data, exfiltrating sensitive documents, and even downloading and executing other malware.
A scalable C2 architecture was also discovered, operated using a Dynamic DNS service that allowed them to dynamically assign a domain name to an IP address from a pool of 70 different domain names and 24 IP addresses in the second half of 2020 alone.
The researchers concluded that the targeted malware attacks against Colombian entities have been scaled up since the campaigns that were described last year. The landscape has changed from a campaign that had a handful of C2 servers and domain names to a campaign with very large and fast-changing infrastructure with hundreds of domain names used since 2019.
Image Credits : ESET