A spam marketing campaign delivering spear-phishing emails geared toward South American organizations has retooled its methods to incorporate a variety of commodity distant entry trojans (RATs) and geolocation filtering to keep away from detection, based on new analysis.
Cybersecurity agency Pattern Micro attributed the assaults to a complicated persistent menace (APT) tracked as APT-C-36 (aka Blind Eagle), a suspected South America espionage group that has been energetic since at the very least 2018 and previously known for setting its sights on Colombian authorities establishments and firms spanning monetary, petroleum, and manufacturing sectors.
Primarily unfold by way of fraudulent emails by masquerading as Colombian authorities businesses, such because the Nationwide Directorate of Taxes and Customs (DIAN), the an infection chain commences when the message recipients open a decoy PDF or Phrase doc that claims to be a seizure order tied to their financial institution accounts and click on on a hyperlink that is been generated from a URL shortener service like cort.as, acortaurl.com, and gtly.to.
“These URL shorteners are able to geographical focusing on, so if a consumer from a rustic not focused by the menace actors clicks on the hyperlink, they are going to be redirected to a reliable web site,” Pattern Micro researchers detailed in a report revealed final week. “The URL shorteners even have the flexibility to detect the most important VPN companies, during which case, the shortened hyperlink leads the customers to a reliable web site as a substitute of redirecting them to the malicious hyperlink.”
Ought to the sufferer meet the situation standards, the consumer is redirected to a file internet hosting server, and a password-protected archive is mechanically downloaded, the password for which is specified within the electronic mail or the attachment, in the end resulting in the execution of a C++-based distant entry trojan referred to as BitRAT that first got here to mild in August 2020.
A number of verticals, together with authorities, monetary, healthcare, telecommunications, and vitality, oil, and gasoline, are stated to have been affected, with a majority of the targets for the newest marketing campaign situated in Colombia and a smaller fraction additionally coming from Ecuador, Spain, and Panama.
“APT-C-36 selects their targets primarily based on location and most probably the monetary standing of the e-mail recipient,” the researchers stated. “These, and the prevalence of the emails, lead us to conclude that the menace actor’s final aim is monetary achieve fairly than espionage.”