Researchers from Trendmicro had come across a new malware campaign targeting organizations from colombia and other south American countries with malicious emails. Threat actor which is known to be APT-C-36 or Blind Eagle has a history of installing publicly available remote administration tools on victims machines via spear phishing attack had once again started switching one RAT to another in its infection chain.
Trendmicro researchers had listed out that below are the list of RATs which had been used by these APT:
“APT-C-36 utilizes different ruses for their targets: Many of the fraudulent emails impersonate Colombia’s national directorate of taxes and customs, Dirección de Impuestos y Aduanas Nacionales (DIAN), a lure that the threat actor has used before. Such emails claim that a “seizure order to bank account has been issued,” further details are contained in the email attachment, and that the information is protected with password “dian” (Figure 1). In English, the attachment means “seizure order.pdf” and the email body translates to the following:
“Subject: we have sent a seizure order to the bank accounts matching your name
For your information, our intelligent IT system detected that your income statement at the Direccion de Impuestos y Aduanas DIAN has 180 days of arrears. For that reason, we will proceed as stated in the law, article 823 until 843-2.
We attach the information and your debt with the password : dian” reads the blogpost.
Threat actors seems to be using the campaign which contain a photo to prove that the mail recipients partner is supposed to be having affair and urged the users to open it the image file named “attached picture.jpg” with a password “foto”. Once again the delivered emails seems to be poorly written with no proper punctuation which proves to be the indicators of phishing attack detections. The email and delivered to user Spanish is given in English for CyberWorkx news readers.
“Upon analyzing the RAT, the most interesting part of this RAT is its configuration settings seen as an encrypted block of data (Figure 8). There are two hexadecimal strings within the main executable file in BitRAT: the longer string is the encrypted configuration, the shorter one is the first part of the key.” reads the blogpost.
“Our research shows that they modify their methods frequently, as evidenced by their use of different link shorteners and RATs. While spear-phishing emails are the initial infection vector for this ongoing campaign, the threat actor is constantly changing their payloads and improving their techniques to avoid detection, such as their use of geolocation filtering.” concludes the report.
CyberWorkx news readers can checkout the IOC’s for this malware campaign here.