Recently, a campaign of espionage directed mainly at Colombia, which had significant activity until the end of March this year. The cyber criminals have been trying to spread the malware njRAT, a common type of trojan remote access, and remain on the compromised computer undetected for as long as possible.
The campaign was named “Operation Discordia” by researchers at ESET. This is because attackers use the platform Discord to host and download malware onto compromised computers. The platform was originally intended for gamers, but it gradually grew and cybercriminals also started using it to host malware and perform other malicious actions.
The main victims are companies from different sectors, non-profit organizations and government agencies. This malicious code downloaded allows attackers to remotely control the infected computer and perform actions such as:
– Send and receive files.
– Record keystrokes.
– Take screenshots.
– Take pictures with the camera and record audio, etc.
The method to gain initial access and start the chain of infection until the njRAT download starts with emails from phishing which are believed to be official communications from the Colombian System of Oral Crimes (SPOA). These emails include compressed files as attachments protected by a four-digit password.
Although there are no examples of these phishing emails, the names of some of these files zip attachments they can already give an idea of the context of the messages. Next, the following is known:
– “Tax notification in your name We appreciate prompt confirmation of receipt in addition to filling out the form within the attachment.bz2”
– “I request you to register the corresponding marginal note in the original civil registry of birth of the interested parties FILE KEY 0903.R19”
– “Fiscal requirement here you will find a copy of the complaint filed against you NUNC SPOA.bz2″
On the other hand, the names of the files contained in the downloaded file, which can be two or more files, also provide some clues. As you can see in the image below, these are files with the extension .vbs. These files are scripts developed using the Visual Basic programming language.
Two different methods of infection
The people who carried out this campaign used two different infection mechanisms, but both tried to download njRAT as a last resort.
“If we pay attention to the following image, we can see that many of the names used for the variables are in Spanish. And if we add to this the themes used in the compressed files, it is possible that the malicious actors behind this campaign are Spanish-speaking.” Miguel Angel Mendoza, Computer Security Researcher at ESET Latin America.
– Method 1
The attached files had a .bz2 extension and contained malicious scripts developed in Visual Basic, which, when executed, download a PowerShell script that is hosted on Discord and which in turn downloads other modules from the same platform, which are the ones that end up downloading njRAT in the team.
The following image shows an example of the malicious code within these PowerShell scripts:
– Method 2
In some cases a different infection method was detected which also starts with a Visual Basic script that downloads another PowerShell script from Discord which makes it check if the path HKCU:softwarewow6432nodeMicrosoftWindowsUpdate exists in the logs. Windows.
If the path exists, it stores AES-encrypted malicious code.
Recommendations to avoid being a victim of malware
The main recommendation to avoid being a victim of this type of campaign is to have special care with the emails that arrive in the inbox.
It’s important to pay attention to the sender’s email address, the body of the message, whether it was an unexpected email, and whether the message made sense. In case of doubt, do not click on any links, nor download any attachments. Attackers often mask the actual format of a file by renaming the file to look like a different extension.
Last but not least, it’s always good install a reliable security solution on the device to filter out these threats as soon as they hit an email account.