A New Spate of Malware Attacks Targeting South American Firms with Commodity RATs

According to new research, a spam campaign sending spear-phishing emails targeted South American companies has retooled its strategies to include a wide range of commodity remote access trojans (RATs) and geolocation filtering to evade detection. The attacks were linked to APT-C-36 (Blind Eagle) detected by the cybersecurity firm Trend Micro.

APT-C-36 is a suspected espionage group operating in South America that has been active since at least 2018. The group primarily targets Colombian government institutions as well as significant banking, petroleum, and professional manufacturing firms.

Several verticals, including government, finance, healthcare, telecommunications, energy, oil, and gas, are allegedly impacted, with Colombia accounting for the majority of the targets for the latest campaign, with Ecuador, Spain, and Panama accounting for a minor portion.

The infection chain starts when message recipients open a decoy PDF or Word document that claims to be a takeover order by Colombian government agencies tied to their bank accounts and click on a link generated from a URL shortener service like acortaurl.com, cort.as, or other.

Trend Micro analysts explained in a report released last week that if a user from a nation not targeted by the threat actors clicks on the link, it will send them to a legitimate website. “URL shorteners can also recognize major VPN services, in which case the shortened link redirects viewers to a real website rather than the malicious one,” says the researcher.

If the victim meets the criteria, the user is redirected to a file hosting server, where a password-protected archive is automatically downloaded, with the password specified in the email or attachment, eventually leading to the execution of BitRAT, a C++ based remote access trojan that first surfaced in August 2020.

However, according to the researchers, the threat actor’s ultimate purpose with this is financial gain rather than espionage.