In a recent development, cybersecurity researchers uncovered an ongoing surveillance initiative targeting Colombian government institutions and private enterprises within the energy and metallurgical sectors. This attack campaign, referred to as “Operation Spalax,” was detailed in a report released Tuesday by ESET, a Slovak cybersecurity firm. The operation first began in 2020 and exhibits operational characteristics reminiscent of a known Advanced Persistent Threat (APT) group active in Colombia since at least April 2018.
The similarities between the two campaigns reveal themselves primarily through the use of phishing emails, which employ similar themes and impersonate entities associated with a previous operation disclosed by QiAnXin researchers in February 2019. Moreover, the campaign’s Command and Control (C2) servers feature subdomain names that echo past tactics.
Despite these similarities, the strategies diverge in terms of the attachments utilized in phishing emails, the remote access trojans (RATs) deployed, and the C2 infrastructure leveraged for malware retrieval. The attack chain initiates with victims receiving phishing emails, which direct them to download RAR archives hosted on platforms like OneDrive or MediaFire. These archives contain various droppers tasked with executing RATs such as Remcos, njRAT, and AsyncRAT on compromised machines.
The phishing messages exploit a broad array of subjects, including false notifications regarding traffic violations, court summonses, and mandatory COVID-19 testing, thereby enhancing the likelihood that unsuspecting users will interact with them. In some alternative instances documented by ESET, attackers utilized heavily obfuscated AutoIt droppers that deploy shellcode to decrypt malicious payloads and inject them into existing processes.
The identified RATs not only enable remote control capabilities but also facilitate espionage activities, such as logging keystrokes, capturing screenshots, exfiltrating sensitive documents, and executing additional malware.
ESET’s research further indicates the presence of a scalable C2 architecture utilizing Dynamic DNS services, allowing for the dynamic allocation of domain names to IP addresses. This agile approach saw the utilization of 70 distinct domain names and 24 IP addresses during the latter half of 2020 alone.
According to ESET, the scale of targeted malware assaults against Colombian entities has significantly intensified since last year, transitioning from a campaign reliant on a limited number of C2 servers to a widespread, rapidly evolving infrastructure that employs hundreds of domain names since 2019. This evolution highlights the pressing need for firms, especially in vulnerable sectors, to fortify their cybersecurity measures against increasingly sophisticated threats.
In considering the potential adversary tactics and techniques that may have been employed during these attacks, one can refer to the MITRE ATT&CK framework. Techniques such as phishing for initial access, the use of malicious attachments for persistence, and lateral movement to escalate privileges are indicative of the methodological approaches observed in Operation Spalax.
The need for vigilance in cybersecurity continues to grow, particularly for organizations exposed to such elaborate and evolving threats.
