Slovak internet security company ESET shared some details about an ongoing cyber-espionage campaign aimed exclusively at Colombian government entities and private companies, especially in the energy and metallurgical industries. To conduct their surveillance activities the attackers rely on three Remote Access Trojans (RATs), namely Remcos, njRAT and AsyncRAT.

The campaign, dubbed “Operation Spalax” has been active since 2020 and shares some similarities with previous attacks of an APT group targeting the country since at least April 2018, although it differs in many ways, which makes attribution difficult.

Victims are targeted with phishing emails disguised as a notification to take a mandatory COVID-19 test, attend a court hearing, or pay traffic fines that, when opened, lead to the download of malicious files. Most of the observed emails contained a PDF document with a link, which, when clicked on, triggers the download of malicious files. These files are regular RAR archives that have an executable file inside. These archives are hosted in legitimate file hosting services such as OneDrive or MediaFire.

RAR archives contain various droppers responsible for decrypting and running RATs such as Remcos, njRAT, and AsyncRAT on a compromised device. These tools provide numerous capabilities, such as remote control, as well as keylogging, screen capture, clipboard hijacking, exfiltration of files, and the ability to download and execute other malware.

In some cases observed by ESET, the attackers were also found to use heavily obfuscated AutoIt droppers that used shellcode to decrypt the payload and another to inject it into an already running process.

“During our research we saw approximately 70 different domain names used for C&C in the second half of 2020. This amounts to at least 24 IP addresses. By pivoting on passive DNS data for IP addresses and known domain names, we found that the attackers have used at least 160 additional domain names since 2019. This corresponds to at least 40 further IP addresses,” ESET said. “They’ve managed to operate at such scale by using Dynamic DNS services.”

“Targeted malware attacks against Colombian entities have been scaled up since the campaigns that were described last year. The landscape has changed from a campaign that had a handful of C&C servers and domain names to a campaign with very large and fast-changing infrastructure with hundreds of domain names used since 2019. Even though TTPs have seen changes, not only in how malware is delivered in phishing emails but also in the RATs used, one aspect that remains the same is that the attacks are still targeted and focused on Colombian entities, both in the public and private sectors,” the researchers concluded.