A spam marketing campaign providing spear-phishing e-mails aimed at South American businesses has retooled its tactics to incorporate a huge range of commodity remote access trojans (RATs) and geolocation filtering to steer clear of detection, according to new study.
Cybersecurity company Craze Micro attributed the attacks to an sophisticated persistent threat (APT) tracked as APT-C-36 (aka Blind Eagle), a suspected South America espionage group that has been lively because at least 2018 and formerly recognized for setting its sights on Colombian government establishments and businesses spanning economical, petroleum, and manufacturing sectors.
Mostly unfold by means of fraudulent emails by masquerading as Colombian government companies, these types of as the National Directorate of Taxes and Customs (DIAN), the infection chain commences when the message recipients open a decoy PDF or Phrase document that statements to be a seizure order tied to their financial institution accounts and simply click on a website link which is been produced from a URL shortener services like cort.as, acortaurl.com, and gtly.to.
“These URL shorteners are capable of geographical concentrating on, so if a person from a nation not qualified by the danger actors clicks on the website link, they will be redirected to a respectable web page,” Pattern Micro researchers detailed in a report published final week. “The URL shorteners also have the capacity to detect the significant VPN solutions, in which circumstance, the shortened hyperlink sales opportunities the consumers to a respectable site alternatively of redirecting them to the malicious hyperlink.”
Should the sufferer meet up with the area conditions, the user is redirected to a file hosting server, and a password-guarded archive is automatically downloaded, the password for which is specified in the electronic mail or the attachment, eventually primary to the execution of a C++-dependent remote obtain trojan termed BitRAT that initial came to light in August 2020.
A number of verticals, which includes authorities, fiscal, health care, telecommunications, and energy, oil, and fuel, are said to have been impacted, with a greater part of the targets for the newest marketing campaign positioned in Colombia and a smaller fraction also coming from Ecuador, Spain, and Panama.
“APT-C-36 selects their targets based on locale and most very likely the monetary standing of the email receiver,” the researchers explained. “These, and the prevalence of the e-mails, lead us to conclude that the menace actor’s final intention is economical obtain rather than espionage.”