A spam campaign delivering spear-phishing emails aimed at South American organizations has retooled its techniques to include a wide range of commodity remote access trojans (RATs) and geolocation filtering to avoid detection, according to new research.
Cybersecurity firm Trend Micro attributed the attacks to an advanced persistent threat (APT) tracked as APT-C-36 (aka Blind Eagle), a suspected South America espionage group that has been active since at least 2018 and previously known for setting its sights on Colombian government institutions and corporations spanning financial, petroleum, and manufacturing sectors.
Primarily spread via fraudulent emails by masquerading as Colombian government agencies, such as the National Directorate of Taxes and Customs (DIAN), the infection chain commences when the message recipients open a decoy PDF or Word document that claims to be a seizure order tied to their bank accounts and click on a link that's been generated from a URL shortener service like cort.as, acortaurl.com, and gtly.to.
"These URL shorteners are capable of geographical targeting, so if a user from a country not targeted by the threat actors clicks on the link, they will be redirected to a legitimate website," Trend Micro researchers detailed in a report published last week. "The URL shorteners also have the ability to detect the major VPN services, in which case, the shortened link leads the users to a legitimate website instead of redirecting them to the malicious link."
Should the victim meet the location criteria, the user is redirected to a file hosting server, and a password-protected archive is automatically downloaded, the password for which is specified in the email or the attachment, ultimately leading to the execution of a C++-based remote access trojan called BitRAT that first came to light in August 2020.
Multiple verticals, including government, financial, healthcare, telecommunications, and energy, oil, and gas, are said to have been affected, with a majority of the targets for the latest campaign located in Colombia and a smaller fraction also coming from Ecuador, Spain, and Panama.
"APT-C-36 selects their targets based on location and most likely the financial standing of the email recipient," the researchers said. "These, and the prevalence of the emails, lead us to conclude that the threat actor's ultimate goal is financial gain rather than espionage."