A hacking group from Columbia which is dubbed as “APT-C-36” is running a phishing campaign that represents emails and attempts to accumulate victims in South America.
In this campaign, the threat actors have used a wide range of malware and geolocation filters to affect computers and to avoid different kinds of detection.
Initially, this phishing campaign has detected by the Cybersecurity company Trend Micro, and in this campaign, the threat actors have used a remote access tool (RAT), and they are keeping a check and collecting all kinds of information from the compromised computers.
The delivery emails & documents
The APT-C-36 uses different devices for their victims, well there are several fraudulent emails represent Colombia’s national directorate of taxes and customs, Dirección de Impuestos y Aduanas Nacionales (DIAN), a trick that was being used by the threat actor befoe.
However, this kind of email generally claim that a “seizure order to a bank account has been assigned,” further details are enclosed in the email attachment and that the whole data is being protected with password “dian”.
Not only this but its campaign, also delivery documents, either a PDF file or DOCX file that also contains a link. During the investigation, they detected samples of these documents representing DIAN, and not only this but it is also representing other Google Photos.
Payload
Later during the investigation, the analysts came to know that the executable file that is being a password-protected archive, is now being presented with a RAT called BitRAT.
After analyzing the whole attack, the most interesting part was noted is that this is the RAT that has the configuration settings and can be seen as an encrypted block of data.
Apart from all this, it also has two hexadecimal strings within the main executable file in BitRAT the longer string is the encrypted configuration, the shorter one is the first part of the key.
RATs used by APT-C-36
Here is the list of RATs used by the APT-C-36:-
- njRAT
- Imminent Monitor
- A custom modified ProyectoRAT
- Warzone RAT
- Async RAT
- Lime RAT
- Remcos RAT
- BitRAT
Affected regions and industries
This attack has affected many regions, the majority of the targets that were being discovered were located in Colombia, apart from this there are many targets that belong to South American countries such as Ecuador, Spain, and Panama.
Moreover, this phishing campaign has also affected multiple industries, essentially government, financial, and healthcare entities. Even this campaign has also affected some finance, telecommunications, and energy, oil, and gas industries as well.
Recommendations
Threat actors like APT-C-36 are continually trying new methods to deploy their malware and they always try to stay one step ahead of their victims’ protection.
That’s why to secure their data from spear-phishing attempts, businesses can benefit from security tools and solutions.
As the security tools provide protection to end-users and businesses from phishing campaigns only by detecting and blocking malicious files, spam messages, and malicious URLs.
So, the companies should be aware of this kind of phishing attack, as they can create lots of problems, hence, every company should follow the protection tools carefully to bypass such campaigns.
To read the original article:https://cybersecuritynews.com/apt-c-36-hacking-group/