Colombian energy, metal firms under fire in new Trojan attack wave


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
A wave of attacks against companies in Columbia uses a trio of Remote Access Trojans (RATs) to steal confidential, sensitive data.

The campaign, dubbed Operation Spalax, was revealed by ESET researchers on Tuesday.

In a blog post, the cybersecurity firm said government and private entities in Columbia are being exclusively targeted by the threat actors, who seem to have a particular interest in the energy and metallurgical industries.

ESET began tracking the campaign, which is ongoing, in the second half of 2020 when at least 24 IP addresses -- likely compromised devices acting as proxies for the attackers' command-and-control (C2) servers -- were linked to a spate of attacks.

To begin the infection chain against a target entity, the threat actors use a traditional method: phishing emails. The subjects of these fraudulent messages range from demands to attend court hearings to bank account freeze warnings and notifications to take a mandatory COVID-19 test.

In some samples, agencies including the Office of the Attorney General (Fiscalia General de la Nacion) and the National Directorate of Taxes and Customs (DIAN) were impersonated.

Each email has a .PDF file attached, linking to a .RAR archive. If the victim downloads the package -- located on OneDrive, MediaFire, and other hosting services -- an executable file within triggers malware.