According to a recent study by Trend Micro, a new group of spammers sending spear-phishing emails to South American companies has retooled its campaign methods to incorporate a wide range of commodity RATs (Remote Access Trojans) and geolocation filtering to escape detection.
APT-C-36 (Blind Eagle), an advanced persistent threat (APT), was responsible for the attacks. It is a suspected South American espionage group that has been active since 2018 and has previously targeted Colombia’s financial, petroleum, and manufacturing sectors.
The infection cycle starts when message receivers open a fake PDF or Word document claiming to be a bank seizure order.
“APT-C-36 utilizes different ruses for their targets: Many of the fraudulent emails impersonate Colombia’s national directorate of taxes and customs, Dirección de Impuestos y Aduanas Nacionales (DIAN), a lure that the threat actor has used before. Such emails claim that a “seizure order to bank account has been issued,” says Trend Micro.
The victim is prompted to click a link generated by a URL shortener service such as acortaurl.com, cort.as, gtly.to, or uses services of Colombian government organizations.
These URL shorteners can help target users based on their location. It means if users from a country not aimed by threat actors hit the link, they will be routed to a benign site. URL shorteners may also recognize key VPN providers, in which case the shortened link directs users to an authentic website rather than forwarding them to a malicious page.
Victims meeting the criteria are redirected to a file hosting server that automatically downloads a password-protected archive. The password specified in the email or attachment eventually leads to the execution of BitRAT, a C++-based remote access trojan that first surfaced in August 2020.
Government, finance, healthcare, telecommunications, and energy are among the affected sectors. Most targets of these campaigns belong to Colombia, and a few are from Spain, Ecuador, and Panama.