ESET researchers uncover assaults focusing on Colombian authorities establishments and personal firms, particularly from the power and metallurgical industries

In 2020 ESET noticed a number of assaults focusing on Colombian entities completely. These assaults are nonetheless ongoing on the time of writing and are targeted on each authorities establishments and personal firms. For the latter, probably the most focused sectors are power and metallurgical. The attackers depend on the usage of distant entry trojans, most probably to spy on their victims. They’ve a big community infrastructure for command and management: ESET noticed a minimum of 24 completely different IP addresses in use within the second half of 2020. These are in all probability compromised gadgets that act as proxies for his or her C&C servers. This, mixed with the usage of dynamic DNS providers, implies that their infrastructure by no means stays nonetheless. We’ve seen a minimum of 70 domains lively on this timeframe they usually register new ones regularly.

The attackers

The assaults we noticed in 2020 share some TTPs with earlier reviews about teams focusing on Colombia, but in addition differ in some ways, thus making attribution troublesome.

A type of reviews was printed in February 2019, by QiAnXin researchers. The operations described in that blogpost are related to an APT group lively since a minimum of April 2018. We’ve discovered some similarities between these assaults and those that we describe on this article:

  • We noticed a malicious pattern included in IoCs of QiAnXin’s report and a pattern from the brand new marketing campaign in the identical authorities group. These information have fewer than a dozen sightings every.
  • A number of the phishing emails from the present marketing campaign had been despatched from IP addresses akin to a variety that belongs to Powerhouse Administration, a VPN service. The identical IP tackle vary was used for emails despatched within the earlier marketing campaign.
  • The phishing emails have related matters and fake to come back from among the similar entities – for instance, the Workplace of the Legal professional Basic (Fiscalia Basic de la Nacion) or the Nationwide Directorate of Taxes and Customs (DIAN).
  • A number of the C&C servers in Operation Spalax use linkpc.internet and subdomains, together with IP addresses that belong to Powerhouse Administration. This additionally occurred within the earlier marketing campaign.

Nevertheless, there are variations within the attachments used for phishing emails, the distant entry trojans (RATs) used and in many of the operator’s C&C infrastructure.

There’s additionally this report from Trend Micro, from July 2019. There are similarities between the phishing emails and elements of the community infrastructure in that marketing campaign and the one we describe right here. The assaults described in that article had been related to cybercrime, not espionage. Whereas now we have not seen any payload delivered by the attackers aside from RATs, among the targets within the present marketing campaign (equivalent to a lottery company) don’t make a lot sense for spying actions.

These risk actors present good utilization of the Spanish language within the emails they ship, they solely goal Colombian entities, they usually use premade malware and don’t develop any themselves.

Assault overview

Targets are approached with emails that result in the obtain of malicious information. Generally, these emails have a PDF doc hooked up, which accommodates a hyperlink that the person should click on to obtain the malware. The downloaded information are common RAR archives which have an executable file inside. These archives are hosted in respectable file internet hosting providers equivalent to OneDrive or MediaFire. The goal has to manually extract the file and execute it for the malware to run.

We’ve discovered a wide range of packers used for these executables, however their function is at all times to have a distant entry trojan working on the victimized pc, normally by decrypting the payload and injecting it into respectable processes. An outline of a typical assault is proven in Determine 1. We’ve seen the attackers use three completely different RATs: Remcos, njRAT and AsyncRAT.

Determine 1. Overview of the assault

Phishing emails

The attackers use numerous matters for his or her emails, however normally they aren’t specifically crafted for his or her victims. Quite the opposite, most of those emails have generic matters that may very well be reused for various targets.

We discovered phishing emails with these matters:

  • A notification a couple of driving infraction
  • A notification to take a compulsory COVID-19 check
  • A notification to attend a court docket listening to
  • An open investigation towards the recipient for misuse of public funds
  • A notification of an embargo of financial institution accounts

The e-mail proven in Determine 2 pretends to be a notification a couple of driving infraction for a worth of round US$250. There’s a PDF file hooked up that guarantees a photograph of the infraction, in addition to details about time and place of the incident. The sender has been spoofed to make the e-mail seem like it’s coming from SIMIT (a system for paying transit violations in Colombia).

Determine 2. Instance of a phishing electronic mail

The pdf file solely accommodates an exterior hyperlink that has been shortened with the acortaurl service, as proven in Determine 3. The shortened URL is: https://acortaurl[.]com/httpsbogotagovcohttpsbogotagovcohttpsbogotagovco.

After the shortened hyperlink is expanded, a RAR archive is downloaded from: http://www.mediafire[.]com/file/wbqg7dt604uwgza/SIMITcomparendoenlineasimitnumeroreferenciaComparendo2475569.uue/file.

Determine 3. PDF hooked up to phishing electronic mail

Determine 4 reveals a part of the e-mail’s header. The spoofed sender is [email protected][.]co however we will see that the actual sender is IP tackle 128.90.108[.]177, which is related with the area title julian.linkpc[.]internet, as present in historic DNS knowledge. It’s not a coincidence that the identical area title is used for contacting the C&C server within the malicious pattern contained within the RAR archive. This IP tackle belongs to Powerhouse Administration, a VPN service supplier.

Determine 4. Header of a phishing electronic mail

In newer emails, the shortened hyperlink within the PDF file resolves to[.]co (a respectable website) when visited from outdoors of Colombia.

Additionally, in some circumstances the GetResponse service has been used to ship the e-mail. That is in all probability executed to trace whether or not the sufferer has clicked on the hyperlink. In these circumstances there isn’t any attachment: a hyperlink to the GetResponse platform results in the obtain of malware.

You possibly can see the opposite emails within the following gallery (click on to enlarge):

Figures 5 to 13. Numerous phishing emails and their hooked up information

Malicious artifacts


The executable information contained in compressed archives which can be downloaded by way of the phishing emails are answerable for decrypting and working distant entry trojans on a victimized pc. Within the following sections, we describe the varied droppers now we have seen.

NSIS installers

The dropper that’s mostly utilized by these attackers comes as a file that was compiled with NSIS (Nullsoft Scriptable Install System). To attempt to evade detection, this installer accommodates a number of benign information which can be written to disk (they aren’t a part of NSIS binaries and they aren’t used in any respect by the installer) and two information which can be malicious: an encrypted RAT executable and a DLL file that decrypts and runs the trojan. An NSIS script for one in all these installers is proven in Determine 14. The benign information are normally completely different in several droppers utilized by the attackers.

Determine 14. NSIS script for one of many droppers; the malicious information are highlighted

The information Bonehead (encrypted RAT) and ShoonCataclysm.dll (dropper DLL) are written in the identical folder and the DLL is run with rundll32.exe utilizing Uboats as its argument. The names of those information change between executables. Some extra examples are:

  • rundll32.exe Blackface,Respiration
  • rundll32.exe OximeLied,Hostage
  • rundll32.exe Conservatory,Piggins

We used the title of the benign information contained in a few of these NSIS installers to search out extra malicious installers utilized by the Spalax operators. Desk 1 lists particulars of three completely different NSIS installers utilized by the attackers that contained all the identical benign information. The one distinction amongst them was the encrypted file, which pointed to completely different C&C servers.

Desk 1. NSIS installers with equivalent benign information utilized by this group

6E81343018136B271D1F95DB536CA6B2FD1DFCD6 marzoorganigrama20202020.duckdns[.]org
7EDB738018E0E91C257A6FC94BDBA50DAF899F90 ruthy.qdp6fj1uji[.]xyz
812A407516F9712C80B70A14D6CDF282C88938C1 dominoduck2098.duckdns[.]org

Nevertheless, we additionally discovered malicious NSIS installers utilized by different unrelated teams that had the identical benign information as those utilized by this group. Determine 15 lists the information contained in two completely different NSIS installers. The one on the left (SHA-1: 3AC39B5944019244E7E33999A2816304558FB1E8) is an executable utilized by this group and the one on the best (SHA-1: 6758741212F7AA2B77C42B2A2DE377D97154F860) is unrelated. The SHA-1 hashes for all of the benign information are the identical (and in addition the filenames) and even the malicious DLL is identical. Nevertheless, the encrypted file Bonehead is completely different.

Determine 15. Information contained in NSIS droppers from unrelated campaigns

Which means that these installers had been generated with the identical builder, however by completely different actors. The builder might be provided in underground boards and contains these benign information. This, together with a whole evaluation of the dropper, was described earlier this yr by Sophos of their RATicate article. There’s additionally an article by Lab52 describing one of many NSIS installers utilized in Operation Spalax, which they attribute to APT-C-36.

Within the overwhelming majority of circumstances these NSIS droppers decrypt and run the Remcos RAT, however now we have additionally seen circumstances the place the payload is njRAT. These can be described later within the Payloads part.

Agent Tesla packers

We’ve seen a number of droppers which can be completely different variants of a packer that makes use of steganography and is understood for use in Agent Tesla samples. Apparently, the attackers use numerous payloads, however none of them are Agent Tesla. Though there are variations in all of the samples concerning the layers of encryption, obfuscation or anti-analysis used, we will summarize the actions taken by the droppers as follows:

  • The dropper reads a string (or binary knowledge) from its useful resource part and decrypts it. The result’s a DLL that can be loaded and referred to as in the identical tackle house.
  • The DLL reads pixels from a picture contained within the first binary and decrypts one other executable. This one is loaded and executed in the identical tackle house.
  • This new executable is filled with CyaX. It reads knowledge from its personal useful resource part and decrypts a payload. There are anti-analysis checks; in the event that they move, the payload may be injected into a brand new course of or loaded in the identical course of house.

The preliminary dropper is coded in C#. In all of the samples that now we have seen, the code for the dropper was hiding in non-malicious code, in all probability copied from different apps. The benign code just isn’t executed; it’s there to evade detection.

In Determine 16 we see an instance of the sources contained in one in all these droppers. The textual content in inexperienced (solely proven partially) is a string that can be decrypted to generate the following stage to be executed and the picture that we see beneath the inexperienced textual content can be decrypted by the second stage malware. The algorithm used for decryption of the string varies from pattern to pattern, however typically the useful resource is simply an unencrypted binary.

Determine 16. Assets contained in Agent Tesla’s packer

The strategy to be executed within the DLL is at all times named StartGame or StartUpdate. It reads the picture from the primary executable, and shops each pixel as three numbers based on its pink, inexperienced and blue elements. Then it decrypts the array by doing a single-byte XOR operation, biking by the important thing. After that, the array is gzip-decompressed and executed. A part of the code for the talked about operations is proven in Determine 17.

Determine 17. Code to decrypt and run the third-stage malware

The third stage is in command of decrypting and working the payload. The .NET packer often called CyaX is used to carry out this job. The model of the packer utilized by the attackers is v4, though they used v2 in some circumstances. Determine 18 reveals the hardcoded configuration for one in all their samples.

Determine 18. Hardcoded configuration in CyaX-Sharp packer

The decryption of the payload is predicated on XOR operations and is identical because the algorithm beforehand proven however with an additional step: the payload is XORed with its first 16 bytes as a key. As soon as it’s decrypted, it may be run in the identical tackle house or injected into a distinct course of, relying on the configuration.

This packer helps numerous anti-analysis operations equivalent to disabling Home windows Defender, checking for safety merchandise, and detecting digital environments and sandboxes.

Nearly all of the payloads for these droppers are njRAT, however now we have additionally seen AsyncRAT. We noticed Remcos in one in all these droppers, however the code within the packer was completely different. A part of the primary routine for the injection of the payload is proven in Determine 19.

Determine 19. Code for the final stage of a dropper

We’ve seen that the configuration is contained in several variables. Values like #startup_method# or #bind# imply that the configuration was not set for these choices. The payload is learn from an encrypted useful resource and XORed with a hardcoded password. The shellcode that performs the injection is contained in an array and is dynamically loaded. There aren’t any anti-analysis checks or safety mechanisms.

AutoIt droppers

For a few of their droppers, the attackers have used an AutoIt packer that comes closely obfuscated. Not like the circumstances that had been beforehand described, on this case the first-stage malware performs the injection and execution of the payload. It does so through the use of two shellcodes contained within the compiled AutoIt script: one to decrypt the payload and one other to inject it into some course of.

The payload is constructed by concatenating a number of strings, as proven in Determine 20. By inspecting the final two characters, we will see that the string is in reverse order.

Determine 20. Concatenation of the payload

The routine that decrypts the payload accommodates a small shellcode that’s loaded with VirtualAlloc and executed. The decryption executed by the shellcode is predicated on a single-byte XOR algorithm. The code that masses the shellcode is proven in Determine 21.

Determine 21. Execution of shellcode to decrypt the payload

We will see that the shellcode is saved encrypted. Actually, earlier than deobfuscating the script, all strings had been encrypted with this similar XOR-based algorithm. The decryption routine used is proven in Determine 22.

Determine 22. Routine to decrypt strings

As soon as the payload is decrypted, a shellcode with RunPE code is used to carry out the injection. The shellcode is concatenated in the identical method because the payload and executed just like the earlier shellcode.

To attain persistence, a VBS script is created to execute a replica of the dropper (which is renamed to aadauthhelper.exe). Then an Web Shortcut (.url) file is created within the Startup folder to execute the script. The code that generates these information is proven in Determine 23.

Determine 23. Code for persistence in AutoIt droppers

The dropper accommodates code that isn’t executed. It might:

  • Verify for VMware and VirtualBox
  • Delete the dropper executable
  • Run the dropper repeatedly
  • Obtain and execute information
  • Terminate if a “Program Supervisor” window is discovered
  • Learn a binary from its useful resource part, write it to disk and execute it
  • Modify the safety descriptor (ACL) for the injected course of

For extra info see this analysis by Morphisec the place related AutoIt droppers had been used with Frenchy shellcode.


The payloads utilized in Operation Spalax are distant entry trojans. These present a number of capabilities not just for distant management, but in addition for spying on targets: keylogging, display screen seize, clipboard hijacking, exfiltration of information, and the flexibility to obtain and execute different malware, to call a number of.

These RATs weren’t developed by the attackers. They’re:

  • Remcos, bought on-line
  • njRAT, leaked in underground boards
  • AsyncRAT, open supply

There’s not a one-to-one relationship between droppers and payloads, as now we have seen various kinds of droppers working the identical payload and in addition a single kind of dropper related to completely different payloads. Nevertheless, we will state that NSIS droppers largely drop Remcos, whereas Agent Tesla and AutoIt packers usually drop njRAT.

Remcos is a device for distant management and surveillance. It may be bought with a six-month license that features updates and assist. There’s additionally a free model with restricted functionalities. Whereas the device can be utilized for respectable functions, it is usually utilized by criminals to spy on their victims.

A lot of the Remcos samples utilized by this group are v2.5.0 Professional, however now we have additionally seen all variations that had been launched since September 2019, which can point out that the attackers purchased a license after that month and have been actively utilizing the completely different updates that they obtained throughout their six month license interval.

Concerning njRAT, this group largely makes use of v0.7.3 (often known as the Lime model). That model contains functionalities equivalent to DDoS or ransomware encryption, however solely spy options equivalent to keylogging are utilized by the attackers. For a extra full description of this model, confer with this 2018 article by Zscaler.

One other njRAT model utilized by the attackers is v0.7d (the “inexperienced version”) which is a less complicated model targeted on spying capabilities: keylogging, taking screenshots, entry to webcam and microphone, importing and downloading information, and executing different binaries.

The ultimate kind of payload that we are going to point out is AsyncRAT. In all circumstances now we have noticed v0.5.7B, which may be discovered on GitHub, has been used. The functionalities on this RAT are just like these within the beforehand talked about RATs, which permit attackers to spy on their victims.

Community infrastructure

Throughout our analysis we noticed roughly 70 completely different domains used for C&C within the second half of 2020. This quantities to a minimum of 24 IP addresses. By pivoting on passive DNS knowledge for IP addresses and identified domains, we discovered that the attackers have used a minimum of 160 further domains since 2019. This corresponds to a minimum of 40 additional IP addresses.

They’ve managed to function at such scale through the use of Dynamic DNS providers. Which means that they’ve a pool of domains (and in addition register new ones regularly) which can be dynamically assigned to IP addresses. This manner a website title may be associated to a number of IP addresses over a time frame and IP addresses may be associated to many domains. A lot of the domains now we have seen had been registered with Duck DNS, however they’ve additionally used DNS Exit for and linkpc.internet subdomains.

Concerning IP addresses, virtually all of them are in Colombia. Most are IP addresses associated to Colombian ISPs: 60% of them are Telmex and 30% EPM Telecomunicaciones (Tigo). As it’s extremely unlikely that the criminals personal so many residential IP addresses, it’s attainable that they use some victims as proxies, or some susceptible gadgets to ahead communication to their actual C&C servers.

Lastly, a subset of the IP addresses belongs to Powerhouse Administration, a VPN service supplier. They’re used along with DNS Exit subdomains. Comparable findings may be present in this analysis by Lab52.


Focused malware assaults towards Colombian entities have been scaled up because the campaigns that had been described final yr. The panorama has modified from a marketing campaign that had a handful of C&C servers and domains to a marketing campaign with very giant and fast-changing infrastructure with a whole lot of domains used since 2019. Though TTPs have seen adjustments, not solely in how malware is delivered in phishing emails but in addition within the RATs used, one facet that is still the identical is that the assaults are nonetheless focused and targeted on Colombian entities, each in the private and non-private sectors. It must be anticipated that these assaults will proceed within the area for a very long time, so we’ll hold monitoring these actions.

A complete checklist of Indicators of Compromise (IoCs) and samples may be present in our GitHub repository.

For any inquiries, or to make pattern submissions associated to the topic, contact us at [email protected]

MITRE ATT&CK strategies

Word: This desk was constructed utilizing version 7 of the MITRE ATT&CK framework.

Tactic ID Identify Description
Preliminary Entry T1566.001 Phishing: Spearphishing Attachment The attackers have used emails with PDF or RTF information hooked up that comprise a hyperlink to obtain malware.
T1566.002 Phishing: Spearphishing Hyperlink The attackers have used emails with a hyperlink to obtain malware.
Execution T1059.005 Command and Scripting Interpreter: Visible Primary The attackers have used droppers that dump VBS information with instructions to attain persistence.
T1059.003 Command and Scripting Interpreter: Home windows Command Shell The attackers have used RATs that may launch a command shell for executing instructions.
T1106 Native API The attackers have used API calls of their droppers, equivalent to CreateProcessA, WriteProcessMemory and ResumeThread, to load and execute shellcode in reminiscence.
T1204.001 Person Execution: Malicious Hyperlink The attackers have tried to get customers to open a malicious hyperlink that results in the obtain of malware.
T1204.002 Person Execution: Malicious File The attackers have tried to get customers to execute malicious information masquerading as paperwork.
Persistence T1547.001 Boot or Logon Initialization Scripts: Registry Run Keys / Startup Folder The attackers have used RATs that persist by making a Run registry key or by creating a replica of the malware within the Startup folder.
T1053.005 Scheduled Process/Job: Scheduled Process The attackers have used scheduled duties of their droppers and payloads to attain persistence.
Privilege Escalation T1548.002 Abuse Elevation Management Mechanism: Bypass Person Entry Management The attackers have used RATs that implement UAC bypassing.
Protection Evasion T1140 Deobfuscate/Decode Information or Info The attackers have used numerous encryption algorithms of their droppers to cover strings and payloads.
T1562.001 Impair Defenses: Disable or Modify Instruments The attackers have used CyaX packer, which may disable Home windows Defender.
T1070.004 Indicator Elimination on Host: File Deletion The attackers have used malware that deletes itself from the system.
T1112 Modify Registry The attackers have used RATs that permit full entry to the Registry, for instance to clear traces of their actions.
T1027.002 Obfuscated Information or Info: Software program Packing The attackers have used numerous layers of packers for obfuscating their droppers.
T1027.003 Obfuscated Information or Info: Steganography The attackers have used packers that learn pixel knowledge from photos contained in PE information’ useful resource sections and construct the following layer of execution from the info.
T1055.002 Course of Injection: Moveable Executable Injection The attackers have used droppers that inject the payload into respectable processes equivalent to RegAsm.exe, MSBuild.exe and extra.
T1497.001 Virtualization/Sandbox Evasion: System Checks The attackers have used droppers and payloads that carry out anti-analysis checks to detect digital environments and evaluation instruments.
Credential Entry T1555.003 Credentials from Password Shops: Credentials from Net Browsers The attackers have used numerous RATs with modules that steal passwords saved in sufferer net browsers.
Discovery T1010 Software Window Discovery The attackers have used droppers and RATs that collect details about opened home windows.
T1083 File and Listing Discovery The attackers have used numerous RATs that may browse file techniques.
T1120 Peripheral Gadget Discovery The attackers have used njRAT, which makes an attempt to detect if the sufferer system has a digicam in the course of the preliminary an infection.
T1057 Course of Discovery The attackers have used numerous RATs with modules that present working processes.
T1012 Question Registry The attackers have used numerous RATs that may learn the Registry.
T1018 Distant System Discovery The attackers have used njRAT, which may determine distant hosts on related networks.
T1518.001 Software program Discovery: Safety Software program Discovery The attackers have used droppers that test for safety software program current in a sufferer’s pc.
T1082 System Info Discovery The attackers have used numerous RATs that collect system info equivalent to pc title and working system in the course of the preliminary an infection.
T1016 System Community Configuration Discovery The attackers have used numerous RATs that may gather the IP tackle of the sufferer machine.
T1049 System Community Connections Discovery The attackers have used numerous RATs that may checklist community connections on a sufferer’s pc.
T1033 System Proprietor/Person Discovery The attackers have used numerous RATs that retrieve the present username throughout preliminary an infection.
T1007 System Service Discovery The attackers have used numerous RATs which have modules to handle providers on the system.
T1021.001 Distant Providers: Distant Desktop Protocol The attackers have used numerous RATs that may carry out distant desktop entry.
T1091 Replication By way of Detachable Media The attackers have used njRAT, which may be configured to unfold by way of detachable drives.
Assortment T1123 Audio Seize The attackers have used numerous RATs that may seize audio from the system’s microphone.
T1115 Clipboard Knowledge The attackers have used numerous RATs that may entry and modify knowledge from the clipboard.
T1005 Knowledge from Native System The attackers have used numerous RATs that may entry the native file system and add, obtain or delete information.
T1056.001 Enter Seize: Keylogging The attackers have used numerous RATs which have keylogging capabilities.
T1113 Display screen Seize The attackers have used numerous RATs that may seize screenshots of sufferer machines.
T1125 Video Seize The attackers have used numerous RATs that may entry the sufferer’s webcam.
Command and Management T1132.001 Knowledge Encoding: Normal Encoding The attackers have used njRAT, which makes use of base64 encoding for C&C visitors.
T1573.001 Encrypted Channel: Symmetric Cryptography The attackers have used Remcos RAT, which makes use of RC4 for encrypting C&C communications.
T1095 Non-Software Layer Protocol The attackers have used numerous RATs that use TCP for C&C communications.
T1571 Non-Normal Port The attackers have used numerous RATs that talk over completely different port numbers.
Exfiltration T1041 Exfiltration Over C2 Channel The attackers have used numerous RATs that exfiltrate knowledge over the identical channel used for C&C.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.