ESET researchers uncover
attacks targeting Colombian government institutions and private companies,
especially from the energy and metallurgical industries
In 2020 ESET saw several attacks targeting Colombian entities exclusively. These attacks are still ongoing at the time of writing and are focused on both government institutions and private companies. For the latter, the most targeted sectors are energy and metallurgical. The attackers rely on the use of remote access trojans, most likely to spy on their victims. They have a large network infrastructure for command and control: ESET observed at least 24 different IP addresses in use in the second half of 2020.
These are probably
compromised devices that act as proxies for their C&C servers. This,
combined with the use of dynamic DNS services, means that their infrastructure
never stays still. We have seen at least 70 domain names active in this
timeframe and they register new ones on a regular basis.
The attackers
The attacks we saw in 2020
share some TTPs with previous reports about groups targeting Colombia, but also
differ in many ways, thus making attribution difficult.
One of those reports was
published in February 2019, by QiAnXin
researchers. The
operations described in that blogpost are connected to an APT group active
since at least April 2018. We have found some similarities between those
attacks and the ones that we describe in this article:
· We saw a malicious sample included in IoCs of
QiAnXin’s report and a sample from the new campaign in the same government
organization. These files have fewer than a dozen sightings eeach.
· SSome of the phishing emails from the current
campaign were sent from IP addresses cCorresponding to a range that belongs to
Powerhouse Management, a VPN service. The same IP aaddress range was used for
emails sent in the earlier campaign.
· The phishing emails have similar topics and pretend
to come from some of the same entities – for example, the Office of the
Attorney General (Fiscalia General de la Nacion) or the National Directorate of
Taxes and Customs (DIAN).
· Some of the C&C servers in Operation Spalax
use linkpc.net and publicvm.com subdomains, along
with IP addresses that belong to Powerhouse Management. This also happened
in the earlier campaign.
However, there are
differences in the attachments used for phishing emails, the remote access
trojans (RATs) used and in most of the operator’s C&C infrastructure.
There is also this
report from Trend Micro, from July
2019. There are similarities between the phishing emails and parts of the
network infrastructure in that campaign and the one we describe here. The
attacks described in that article were connected to cybercrime, not espionage. While
we have not seen any payload delivered by the attackers other than RATs, some
of the targets in the current campaign (such as a lottery agency) don’t make
much sense for spying activities.
These threat actors show
perfect usage of the Spanish language in the emails they send, they only target
Colombian entities, and they use premade malware and don’t develop any
themselves.
Attack
overview
Targets are approached with
emails that lead to the download of malicious files. In most cases, these
emails have a PDF document attached, which contains a link that the user must
click to download the malware. The downloaded files are regular RAR archives
that have an executable file inside. These archives are hosted in legitimate
file hosting services such as OneDrive or MediaFire. The target has to manually
extract the file and execute it for the malware to run.
We’ve found a variety of
packers used for these executables, but their purpose is always to have a
remote access trojan running on the victimized computer, usually by decrypting
the payload and injecting it into legitimate processes. An overview of a
typical attack is shown in Figure 1. We have seen the attackers use three
different RATs: Remcos, njRAT and AsyncRAT.
Read the full article on https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/