Operation Spalax and RATs

In a recently published report by ESET, titled “Operation Spalax: Targeted malware attacks in Colombia” the details of a campaign targeting Columbian energy and metal firms were analyzed. The campaign began in 2020 and appears to still be ongoing. In summary, the attackers make use of relatively easy to obtain remote access trojans (RATs) to spy on victims. Given that RATs are best suited to spying on targets this would be the likely modus operandi of the attackers; however, they can be further weaponized or used to first compromise a machine and then drop more damaging malware onto the already compromised machine.

In the wild RATs are typically masqueraded as legitimate programs that are either mistakenly downloaded or installed from an attachment by the victim. Once installed they grant the attacker administrative control over the device, effectively granting control of the device over to the attacker to do with what they please. As they are either legitimate-looking or are bundled with legitimate files, they often evade detection. Over the years RATs have evolved not just to grant the attacker access to the computer but have added keylogging and information stealing capabilities. Some have been seen to be able to steal banking information and related credentials, exfiltrate the data to a server under the attacker’s control, and then be used to commit bank fraud.

In the campaign analyzed by ESET, the malicious files were sent via emails with lures ranging from the COVID-19 pandemic to an embargo on bank accounts, and dates for an apparent court appearance. Despite the wide range of lures, the emails do not appear to be specifically tailored to the victim. It is safe to assume that the attackers feel the lure is sufficient to get a victim to install the malware without thinking twice about the malicious nature of the email. In some cases, the attackers sent spoofed emails to look like they came from the Columbian traffic authority pretending to be a traffic fine.

operation spalax

The fines details and proof on infraction were supposed in a PDF file sent as an attachment. The PDF file only contained a link in the form of a shortened URL,  https://acortaurl[.]com/httpsbogotagovcohttpsbogotagovcohttpsbogotagovco.. When expanded, the URL, http://www.mediafire[.]com/file/wbqg7dt604uwgza/SIMITcomparendoenlineasimitnumeroreferenciaComparendo2475569.uue/file., links to RAR archive hosted on MediaFire. If the link is clicked the infection routine begins in earnest. Researchers noted that the archives were hosted on either MediaFire or OneDrive.

Within the RAR archive, there is an executable file often containing a variety of packers. In defining a packer Malwarebytes provided one far better than the writer could, with researchers stating,

“This usually is short for “runtime packers” which are also known as “self-extracting archives”. Software that unpacks itself in memory when the “packed file” is executed. Sometimes this technique is also called “executable compression”. This type of compression was invented to make files smaller. So users wouldn’t have to unpack them manually before they could be executed. But given the current size of portable media and internet speeds, the need for smaller files is not that urgent anymore. So when you see some packers being used nowadays, it is almost always for malicious purposes. In essence to make reverse engineering more difficult, with the added benefit of a smaller footprint on the infected machine.”

The use of packers in this campaign would aid in the overall aim of spying on the victim as the attackers would want to make as little noise on the victim’s computer to better avoid detection. It is important to note that the malware will only execute if the victim extracts the RAR file from the chosen host and serves to prove why clicking links can be a dangerous endeavor.

The RATs

In the case of this campaign, the packers will also serve the purpose of allowing the RATs to continually run on the victim’s computer. This is done by first decrypting the payload then injecting it into a legitimate process, making detection even harder and allowing the RAT to run unnoticed for extended periods of time. Researchers have seen three different RATs being used, namely Remcos, njRAT, and AsyncRAT.

One of the last times this platform published news pertaining to Remcos the malware was being dropped onto systems via the “Heaven’s Gate” technique which abuses how 32-bit malware can be executed on 64-bit systems. The technique is used primarily to evade detection making it a solid choice in looking to distribute a RAT.

Returning to Remcos, the software is sold online as a legitimate tool to be used for remote control and surveillance of a computer, the developers strictly forbid its misuse but there is really no way to stop hackers from abusing the software for their own ends. Remcos is typically sold on a six-month license and a free version with limited functionality is available. Researchers discovered that the version used by the attackers is the paid version and newer versions of Remcos have been used in line with the developers releasing updates.

njRAT can be purchased on underground hacker forums and is more than just a RAT. The malware can conduct DDoS attacks and ransomware encryption along with a host of other spying features. Two versions have been seen used by attackers to target Columbian companies, the first has the features mentioned above and is known as the “Lime” version. The second, the “green edition” includes a more focussed feature-set geared to spying and includes the following capabilities: keylogging, taking screenshots, access to webcam and microphone, uploading and downloading files, and executing other binaries.

Lastly, researchers saw AsyncRAT which is easily available for download via GitHub. Like the others, the main focus of the malware is to spy undetected for extended periods of time. In concluding, the researchers stated,

“Targeted malware attacks against Colombian entities have been scaled up since the campaigns that were described last year. The landscape has changed from a campaign that had a handful of C&C servers and domain names to a campaign with very large and fast-changing infrastructure with hundreds of domain names used since 2019. Even though TTPs have seen changes, not only in how malware is delivered in phishing emails but also in the RATs used, one aspect that remains the same is that the attacks are still targeted and focused on Colombian entities, both in the public and private sectors. It should be expected that these attacks will continue in the region for a long time, so we will keep monitoring these activities.”

Who’s behind the campaign?

The researchers noted there are similarities to campaigns discovered by Trend Micro and QiAnXin. While, there are similarities in tactics and malware used across the various campaigns, the researchers at ESET were unwilling to officially attribute the campaign to a known group. QiAnXin, however, believed that APT-C-36, also known as Blind Eagle, was behind the campaign they detected. The group has been known to target industries and businesses in Columbia, with active campaigns being traced back to 2018. The group is also known for using spoofed emails which malicious attachments. In one instance the group created emails to look like they were sent by the Columbian Cyber Police. In that case, the aim was to spy on organizations of interest.

The similarities between the campaigns discovered by ESET and QiAnXin include:

  • Malicious samples included similar indicators of compromise of QiAnXin’s report and a sample from the new campaign in the same government organization. These files have fewer than a dozen sightings each.
  • Some of the phishing emails from the current campaign were sent from IP addresses corresponding to a range that belongs to Powerhouse Management, a VPN service. The same IP address range was used for emails sent in the earlier campaign.
  • The phishing emails have similar topics and pretend to come from some of the same entities – for example, the Office of the Attorney General (Fiscalia General de la Nacion) or the National Directorate of Taxes and Customs (DIAN).
  • Some of the C&C servers in Operation Spalax use linkpc.net and publicvm.com subdomains, along with IP addresses that belong to Powerhouse Management. This also happened in the earlier campaign.

While similarities exist, there appears to be no smoking gun that proves APT-C-36 is behind the campaign discovered by ESET. At least for the time being.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal