A new threat group has been discovered spreading email threats in Spanish. The group, tracked as TA2721, targets individuals with Spanish surnames. Most of these individuals work at global organizations across various industries.
Proofpoint researchers have recently discovered this highly active and dangerous threat group, TA2721, aka Caliente Bandits.
The group's targets include industries operating in food and beverage, manufacturing, automotive, banking, entertainment, insurance, media, and agriculture sectors.
All of these targeted organizations are multinational, along with small businesses based in the U.S., South America, and Europe.
The attackers used budget or payment-themed lures throughout their campaigns, urging the recipients to download a PDF.
Researchers started tracking this group in January and have observed distributed email threats delivering Bandook every week, starting April. The attackers sent around 300 messages per campaign.
The attackers spread two different Bandook variants and even attempted to evade detection. They used password-protected malicious archives to make detection harder.
The infection chain employs a PDF file that includes a URL leading to an encrypted RAR file. This file installs Bandook.
The attackers used the same C2 infrastructure for more than a few weeks or even months at a time. In the last six months, researchers have observed just three different C2 domains.
The threat actors sent Spanish-language messages mimicking businesses based in South America, such as Venezuela or Mexico, and sent from Gmail or Hotmail email addresses.
Particular focus on Spanish surnames, along with low volume targeting, implies that attackers performed reconnaissance before launching campaigns.
The highly-targeted campaign by TA2721 suggests that the group has a clear goal and prepares well before launching attacks. Furthermore, a steady and consistent pace of attacks indicates that the actor is planning to continue its operation to spread Bandook malware variants with spoofed emails. Therefore, security professionals need to keep an eye on this steadily growing threat to avoid any sudden surprises.