Lab52 has had access to different very recent spear-phishings and the following summary information has been obtained from the analysis of these mails:<\/p>\n\n\n\n
- This is a group that, as already mentioned in the articles [1] and [2], knows well the Spanish language. <\/li>
- They usually use different types of url shorteners in their mailings. The case of \u201ccort.as\u201d shortenner has caught our attention since it is a shortener from the Spanish newspaper “El Pais” that belongs to the \u201cPrisa Group\u201d very spread in Latin America. <\/li>
- We have also seen links to docs.google.com, mediafire and onedrive to download the samples inside some malspam emails. <\/li>
- Their most popular malware is LimeRAT, although many others have been found as indicated in the reports. VJWorm has also been seen recently with different techniques for exfiltration. <\/li>
- It has also been observed from some spear-phishings the exfiltration by Yopmail’s HTTPS webmail service. This coincides with the indications of TrendMicro <\/li>
- The most common dynamic domains seen are:
- duckdns.]org <\/li>
- publicvm.]com <\/li>
- linkpc.]net <\/li><\/ol><\/li><\/ul>\n\n\n\n
Since\nLab52 does not have enough information to be able to say that\neverything analyzed is a single group, it can only be said that these\nare different techniques used to attack a country.<\/p>\n\n\n\n
From this information, the infrastructure used by the attackers as command and control servers when executing the malware has been analyzed and the following graph has been obtained:<\/p>\n\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/01\/image1.png\")
<\/figure><\/div>\n\n\n\nThree\nsets (clusters) of ip addresses have been identified and each one has\nsome characteristics:<\/p>\n\n\n\n
Cluster\nA<\/strong><\/em> has the following\ncharacteristics:<\/p>\n\n\n\n
- \nAll\n\tits infrastructure is geolocated in Colombia. All the IPs correspond\n\tto Colombian ISPs’ IPs. This is perhaps one of the most outstanding\n\taspects.\n\t<\/li>
- \nDomains\n\tare reused and the ip to which it points is changed.\n\t<\/li>
- \nThis\n\tcluster only uses free \u201cduckdns.org\u201d domains.\n<\/li><\/ul>\n\n\n\n
Cluster\nB<\/strong><\/em> has the following\ncharacteristics:<\/p>\n\n\n\n
- \nIts\n\tinfrastructure is located in Colombia, Costa Rica and Panama. The\n\tgeolocated ip’s in the United States correspond to domains that have\n\tbeen “sinkholed”. By obtaining more information about the\n\tIPs, it can be seen how they are using a VPN service that allows\n\thaving geolocalized IPs in Colombia, Costa Rica and Panama. The\n\tservice is called “Powerhouse Management” (phmgmt[.]com).\n\tTherefore this cluster is not compromising infrastructure of\n\tColombian ISP clients, but is using this VPN service.\n\t<\/li>
- \nThis\n\tcluster is reusing domains and changing ip addresses a lot. They\n\thave a very short duration.\n\t<\/li>
- \nThis\n\tcluster uses as SLD linkpc.net and publicvm.com.\n\t<\/li>
- \nThis\n\tcluster coincides with part of the domains registered in the report\n\tof the Chinese company 360 on APT-C-36.\n<\/li><\/ul>\n\n\n\n
Cluster\nC<\/strong> has the following\ncharacteristics:<\/p>\n\n\n\n
- \nAll\n\tits infrastructure is geolocated in Colombia. All the IPs correspond\n\tto Colombian ISPs’ IPs.\n\t<\/li>
- \nIn\n\tthis case many domains are used and few ip addresses. \n\t\n\t<\/li>
- \nThis\n\tcluster uses free domains duckdns.org.\n<\/li><\/ul>\n\n\n\n
Among\nthe domains used by these group\/s we highlight the domain:<\/p>\n\n\n\n
- \ncobroserfinansa[.]com<\/strong>:\n\tThis domain has solved more than 150 different ip’s (157 exactly\n\twhen this report was made) where all of them have been located in\n\tColombia.\n<\/li><\/ul>\n\n\n\n
Another outstanding aspect from the infrastructure point of view is that the ip’s located in Colombia correspond with a high probability to ip’s of routers compromised by the attackers. Lab52 hypothesis is that attackers compromise routers with default credentials and use them as a frontend for their real command and control server. This fact has not been verified by Lab52, but has been observed as a common TTP for other groups. The routers seen, allow the use of the iptables command so automation by attackers for redirection is simple.<\/p>\n\n\n\n
Conclusions<\/h2>\n\n\n\n
- The attackers know well the language of the attacked country, Spanish, so it could be considered Spanish-speaking countries as the main options of attacking countries. This aspect has already been indicated in the other reports. From Lab52 we would reinforce this hypothesis by the use of a shortener \u201ccort.as\u201d. <\/li>
- The emails are well written and are almost always related to financial matters, specifically related to debt. <\/li>
- Currently, the attackers are not using malware developed by themselves and are using public malware projects such as LimeRAT. <\/li>
- Attackers are using high ports to communicate with command and control servers. <\/li>
- Attackers are probably using multi-level command and control architectures to hide the main command and control server. As a first level, they have used until the moment:
- VPN services where Colombia, Panama and Costa Rica exist as an outgoing ip <\/li>
- Routers from ISP clients with default credentials or vulnerabilities. All these ISPs belong to Colombia. <\/li><\/ul><\/li>
- Attackers use shorteners for links in emails. It is advisable to watch out for shortcuts belonging to the newspaper \u201cEl Pais\u201d. <\/li>
- Another option to the shorteners are links to file hosting services (google, mediafire, dropbox, etc.) <\/li><\/ul>\n\n\n\n
- \ncobroserfinansa[.]com<\/strong>:\n\tThis domain has solved more than 150 different ip’s (157 exactly\n\twhen this report was made) where all of them have been located in\n\tColombia.\n<\/li><\/ul>\n\n\n\n