- Aug 17, 2014
A wave of attacks against companies in Columbia uses a trio of Remote Access Trojans (RATs) to steal confidential, sensitive data.
The campaign, dubbed Operation Spalax, was revealed by ESET researchers on Tuesday.
In a blog post, the cybersecurity firm said government and private entities in Columbia are being exclusively targeted by the threat actors, who seem to have a particular interest in the energy and metallurgical industries.
ESET began tracking the campaign, which is ongoing, in the second half of 2020 when at least 24 IP addresses -- likely compromised devices acting as proxies for the attackers' command-and-control (C2) servers -- were linked to a spate of attacks.
To begin the infection chain against a target entity, the threat actors use a traditional method: phishing emails. The subjects of these fraudulent messages range from demands to attend court hearings to bank account freeze warnings and notifications to take a mandatory COVID-19 test.
In some samples, agencies including the Office of the Attorney General (Fiscalia General de la Nacion) and the National Directorate of Taxes and Customs (DIAN) were impersonated.
Each email has a .PDF file attached, linking to a .RAR archive. If the victim downloads the package -- located on OneDrive, MediaFire, and other hosting services -- an executable file within triggers malware.