Researchers have found that a spam campaign has revised its methods to add an extensive commodity remote access trojans or RATs and geolocation filtering to evade being detected by authorities. The said spam campaign focuses on distributing spear-phishing emails towards South American organizations.
According to security researchers, the attacks were attributed to an advanced persistent threat or APT that is trailed as APT-C-36 or Blind Eagle. APT-C-36 is an alleged espionage group from South America known for targeting Colombian government organizations and firms across financial, manufacturing, and petroleum divisions. The group has been active since 2018.
The chain of the infection begins when the recipients of the spam message open a trap in the format of a PDF or Word document that declares to be a seizure order bound to their bank accounts and then click a link generated from a URL shortener service. It is initially being spread through scam emails by posing as Colombian government agencies like the National Directorate of Taxes and Customs or DIAN.
Researchers added that the URL shorteners can target geographical locations, which means that if a victim from a country that is not targeted by the criminals clicks the link, a legitimate website will be opened for them. The utilization of the URL shorteners can detect major VPN services so users can still be redirected to authentic websites rather than towards the infected links.
The users or spam victims who meet the location criteria will be redirected to a file hosting server that automatically downloads a password-protected archive.
The password to this is mentioned in the email sent to them, which will begin to carry out the BitRAT trojan – a C++-based remote access malware that originated last August 2020.
The majority of the campaign’s affected industries in Colombia include energy, oil, gas, financial, government, telecommunications, and healthcare. A smaller portion of these industries may also come from other countries such as Panama, Ecuador, and Spain.
As stated by researchers, the APT-C-36 group targets their victims based on location and their financial standing.