APT-C-36 Drops Commodity RATs For Financial Gains

What's new?

• The emails state that a seizure order has been issued for a bank account and further details are provided inside the email attachment. The information is protected with the password ‘dian’.
• Other spam emails used in the campaign claim to have a photo as proof of the recipient's partner’s affair. Just like other emails, recipients are urged to open the email attachment named attached picture[.]jpg, and ‘foto’ is the password provided by hackers.
• The sender’s email address is spoofed and disguised as DIAN or a Hotmail address portrayed as a fake female profile.
• Moreover, these emails use PDF/DOCX files including a link (generated from a URL shortener) as delivery documents. When clicked, recipients are taken to a file hosting site that automatically downloads an archive laden with BitRAT.

Who are on the target?

• Most of the targets are based in Colombia, however, some were based in Ecuador, Spain, and Panama. Some of the spear-phishing emails were written in Spanish.
• The group has targeted mainly the financial, government, and healthcare sectors. 
• Some of the attacks were also observed in the energy, oil and gas, and telecommunications sectors.

Conclusion