Malware Attacks Discovered By Researchers Performed On The Columbian Companies And Government
A continuous reconnaissance crusade coordinated against Colombian government foundations and privately owned businesses in the energy and metallurgical industries has been discovered by Cybersecurity researchers. ESET (Essential Security against Evolving Threats) is a Slovak internet security company, who on Tuesday, published a report in which attacks on Columbian Companies and government were mentioned as the “Operation Spalax” and stated that these attacks began early in 2020, in a manner that shared some similarities with an APT (Advanced Persistent Threat) group that has targeted the country from as back as April 2018 and many other alternatives.
The attacks have been and are being performed via phishing emails that generally acquire the same or much similar titles and also acts like they are being sent by the same group or organization that were taken advantage of in an operation in February 2019 (disclosed by QiAnXin specialists) and some similar subdomains used for C2 (command-and-control) servers. Even though the objectives of both the missions were quite similar but still the attached malicious codes and applications are different. The attachments that varied were deployed RATs (remote access trojans) and the command-and-control servers to extract data from the deployed malware.
This attack chain initiates when subjects receive phishing emails, which when opened or clicked initiates downloading of malicious codes and files (RAR archives) from the MediaFire or OneDrive that consisted of several droppers that will decode and run RATs on victims device (RATs like AsyncRAT, Remcos, njRAT, etc). Usually, these phishing emails consist of a PDF file in which a link is needed to be clicked by the user. Cybercriminals use specified topics that a user will get attracted to without suspecting even a bit. Therefore phishing emails carry a very wide scope of topics, for instance, you can attend court hearings, know about driving offenses, take this mandatory online assessment regarding the Covid-19 pandemic, etc. Such topics attract users without being suspicious and have very high chances of users clicking or opening them.
In a different situation observed by the ESET, it was discovered that the hackers use strong and unclear AutoIt droppers that were responsible for decoding the payload by the use of shellcode and later inject this payload into an ongoing process or task. The payloads used in this operation Spalax are RATs (Remote Access Trojans) that serve a number of functionalities not just for remote access and control but also for keeping an eye on subjects. Spying is performed on victims by capturing screenshots, clipboard hijacking, keylogging, extraction of files, and the capability to download, install, and execute other malicious malwares. Researchers from ESET also explained how attackers were using the exploited or compromised devices to act as proxies for their common-and-control server. Due to this widespread structure of C2 servers and the use of dynamic DNS service the attackers gained the capability to manually assign a specified domain name to a specified IP address. Researchers also discovered 70 different active domains and further new ones were being registered on a regular basis and 24 different IP addresses (all of them being compromised devices) in just the second half of 2020.
Researchers from ESET winded up by saying that “Targeted malware attacks against Columbian entities have been scaled up since the campaigns that were described by other researchers last year. The landscape has changed from a campaign with a handful of C&C servers and domain names into a campaign with very large and fast-changing infrastructure with hundreds of domain names used since 2019.” Also said that “The attacks ESET saw in 2020 share some TTPs with previous reports about groups targeting Columbia, but also differ in many ways, thus making attribution difficult.”