Cyber Security

A New Wave of Malware Attack Targeting Organizations in South America

A spam campaign delivering spear-phishing emails aimed at South American organizations has retooled its techniques to include a wide range of commodity remote access trojans (RATs) and geolocation filtering to avoid detection, according to new research.

Cybersecurity firm Trend Micro attributed the attacks to an advanced persistent threat (APT) tracked as APT-C-36 (aka Blind Eagle), a suspected South America espionage group that has been active since at least 2018 and previously known for setting its sights on Colombian government institutions and corporations spanning financial, petroleum, and manufacturing sectors.

Primarily spread via fraudulent emails by masquerading as Colombian government agencies, such as the National Directorate of Taxes and Customs (DIAN), the infection chain commences when the message recipients open a decoy PDF or Word document that claims to be a seizure order tied to their bank accounts and click on a link that’s been generated from a URL shortener service like cort.as, acortaurl.com, and gtly.to.

“These URL shorteners are capable of geographical targeting, so if a user from a country not targeted by the threat actors clicks on the link, they will be redirected to a legitimate website,” Trend Micro researchers detailed in a report published last week. “The URL shorteners also have the ability to detect the major VPN services, in which case, the shortened link leads the users to a legitimate website instead of redirecting them to the malicious link.”

Prevent Ransomware Attacks

Should the victim meet the location criteria, the user is redirected to a file hosting server, and a password-protected archive is automatically downloaded, the password for which is specified in the email or the attachment, ultimately leading to the execution of a C++-based remote access trojan called BitRAT that first came to light in August 2020.

Multiple verticals, including government, financial, healthcare, telecommunications, and energy, oil, and gas, are said to have been affected, with a majority of the targets for the latest campaign located in Colombia and a smaller fraction also coming from Ecuador, Spain, and Panama.

“APT-C-36 selects their targets based on location and most likely the financial standing of the email recipient,” the researchers said. “These, and the prevalence of the emails, lead us to conclude that the threat actor’s ultimate goal is financial gain rather than espionage.”

Products You May Like

Articles You May Like

Resolving Availability vs. Security, a Constant Conflict in IT
Nintendo Faces Dip in Quarterly Sales Amid Chip Shortages, Sold 3.43 Million Switch Units
Climate Change May Increase Mortality Rate by Six Times, Claims New Study
Alibaba shares jump 7% after quarterly earnings beat expectations
Government Issued 105 Blocking Orders to Social Media Firms Under New IT Rules

Leave a Reply

Your email address will not be published.