Cyber security researchers have put an end to an ongoing surveillance campaign directed against Colombian government institutions and private companies in the energy and metallurgy sectors.
In a report released by ESET on Tuesday, the Slovakian internet security company said the attacks – dubbed “Operation Spalax” – began in 2020, with the modus operandi sharing some similarities with an APT group targeting the country since at least April 2018, but also different in other respects.
The overlaps come in the form of phishing emails, which have similar subjects and claim to be from some of the same entities that were used in a February 2019 operation disclosed by QiAnXin researchers, and sub names. -domain used for command and control (C2) servers.
However, the two campaigns differ when it comes to the attachments used for phishing emails, the Remote Access Trojans (RATs) deployed, and the C2 infrastructure used to retrieve the removed malware.
The attack chain begins with the targets receiving phishing emails that lead to the download of malicious files, which are RAR archives hosted on OneDrive or MediaFire containing various droppers responsible for decrypting and executing RATs such as Remcos , njRAT and AsyncRAT on a victim computer.
Phishing emails cover a wide range of topics, including those about driving offenses, attend court hearings, and pass mandatory COVID-19 tests, increasing the likelihood of unsuspecting users opening the messages.
In another scenario observed by ESET, attackers also used heavily obfuscated AutoIt droppers which used one shellcode to decrypt the payload and another to inject it into an already running process.
RATs not only come with remote control capabilities, but also spy on targets by capturing keystrokes, recording screenshots, stealing data from the clipboard, exfiltrating sensitive documents and even while downloading and running other malware.
ESET’s analysis also revealed a scalable C2 architecture operated using a dynamic DNS service that allowed them to dynamically assign a domain name to an IP address from a pool of 70 domain names. different domain and 24 IP addresses in the second half of 2020 alone.
“Targeted malware attacks against Colombian entities have intensified since the campaigns described last year,” the researchers concluded. “The landscape has changed from a campaign that had a handful of C2 servers and domain names to a campaign with a very large and rapidly evolving infrastructure with hundreds of domain names in use since 2019.”