APT-C-36 is now running a spam campaign that uses commodity RATs to infiltrate South American companies for financial gain. njRAT, BitRAT, Async RAT, and Lime RAT are reportedly among the RATs being used by the group. The group’s motivations are still hazy, other than the possibility of financial gain.
APT-C-36 is now engaged in a phishing campaign in which it sends out bogus emails pretending to be from Colombia’s national directorate of taxes and customs.
- There are emails saying that a bank account seizure order has been issued and more information is supplied in the email attachment. The password is dian, and it’s safe to use.
- Other spam emails sent as part of the campaign include a photo purporting to show proof of the recipient’s partner’s extramarital affair. Similarly to earlier emails, the sender urges recipients to open an email attachment named attached picture jpg, which contains the password ‘foto,’ which is provided by hackers.
- The sender’s email address has been faked and disguised as DIAN or a Hotmail address with a bogus female profile.
- The delivery documents for these emails are PDF/DOCX files that include a link (created using a URL shortener). Clicking on the link takes them to a file hosting site, where they will be prompted to download a malicious software called BitRAT.
The majority of the people targeted were in Colombia, but there were also some in Ecuador, Spain, and Panama, as well as the United States. Some of the spear-phishing emails were in Spanish.
These are the primary industries that have come under attack.
The energy, oil and gas, and telecommunications industries have all been targets for some of the attacks.
Over time, APT-C-36 appears to have honed its phishing email tactics to include various link shorteners and RATs. A lot of time and effort has gone into perfecting this malware’s ability to spread undetected. This threat category must therefore be closely monitored to avoid any unwanted shocks.