Cyberattacks on South American Organizations with spear-phishing emails have retooled their strategies to incorporate the use of a wide range of commodity remote access trojans (RATs) as well as geolocation filtering to escape detection, according to new study.
Advanced persistent threat (APT) APT-C-36 (aka Blind Eagle), a suspected South American espionage group. The group that has been active since at least 2018, has linked to the attacks. The group has previously targeted Colombian government institutions and corporations across the financial, petroleum, and manufacturing sectors, according to cybersecurity firm Trend Micro.
When receivers open a counterfeit PDF or Word document that states they have a seizure order related to their bank accounts. They click on a link that has produced by a URL shortener such as cort.as, acortaurl, or acortaurl.com. The infection chain has primarily spread via fraudulent emails by impersonating Colombian government agencies. Agencies such as the National Directorate of Taxes and Customs (DIAN).
In a report published last week, Trend Micro researchers explained how URL shorteners can used to target users. The users that based on their geographic location. They asserted, “if a user from an unaffected nation clicks on the link, the threat actors’ malicious URL redirects the visitor to a legitimate website”. Website shorteners are able to recognize popular VPNs. And that ability leads to links redirecting consumers to safe, official destinations rather than dangerous sites.
BitRAT Malware Attacks
The user has redirected to a file hosting server, and a password-protected archive has automatically downloaded. The password for which is specified in the email or attachment. This results in the execution of a C++-based remote access trojan known as BitRAT. Which has discovered for the first time in August of this year and has been around since then.
There are reports that the latest Wave of Cyberattacks on South American Organizations effected a variety of industries too. It includes the government, financial services, healthcare, telecommunications, as well as energy, oil, and gas. The majority of the targets for the latest campaign are said to be in Colombia. With a smaller proportion from Ecuador, Spain, and Panama also being targeted.
According to the study, “APT-C-36 selects their targets depending on where the email sender is located. And their most likely financial status.” Since these indicators, such as the accessibility of emails, tell us that the goal of the threat actor is not spying, but rather financial gain.