Business
Improve your risk posture with attack surface management
Security that enables business outcomes
Gain visibility and meet business needs with security
Connect with confidence from anywhere, on any device
Secure users and key operations throughout your environment
Move faster than your adversaries with powerful purpose-built XDR, attack surface risk management, and zero trust capabilities
Maximize effectiveness with proactive risk reduction and managed services
Understand your attack surface, assess your risk in real time, and adjust policies across network, workloads, and devices from a single console
Drive business value with measurable cybersecurity outcomes
See more, act faster
Evolve your security to mitigate threats quickly and effectively
Ensure code runs only as intended
Gain visibility and control with security designed for cloud environments
Protect patient data, devices, and networks while meeting regulations
Protecting your factory environments – from traditional devices to state-of-the-art infrastructures
ICS/OT Security for the oil and gas utility industry
ICS/OT Security for the electric utility
Stop threats with easy-to-use solutions designed for your growing business
Bridge threat protection and cyber risk management
Your generative AI cybersecurity assistant
Stop breaches before they happen
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
The most trusted cloud security platform for developers, security teams, and businesses
Cloud asset discovery, vulnerability prioritization, Cloud Security Posture Management, and Attack Surface Management all in one
Extend visibility to the cloud and streamline SOC investigations
Secure your data center, cloud, and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities
Simplify security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection
Protect application workflow and cloud storage against advanced threats
Defend the endpoint through every stage of an attack
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Optimized prevention, detection, and response for endpoints, servers, and cloud workloads
On-premises and cloud protection against malware, malicious applications, and other mobile threats
Expand the power of XDR with network detection and response
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Protect against known, unknown, and undisclosed vulnerabilities in your network
Detect and respond to targeted attacks moving inbound, outbound, and laterally
Redefine trust and secure digital transformation with continuous risk assessments
Stop phishing, malware, ransomware, fraud, and targeted attacks from infiltrating your enterprise
Stop phishing, ransomware, and targeted attacks on any email service including Microsoft 365 and Google Workspace
Learn about solutions for ICS / OT security.
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
See threats coming from miles away
End-to-end identity security from identity posture management to detection and response
Prevent, detect, respond and protect without compromising data sovereignty
Augment security teams with 24/7/365 managed detection, response, and support
Augment threat detection with expertly managed detection and response (MDR) for email, endpoints, servers, cloud workloads, and networks
Our trusted experts are on call whether you're experiencing a breach or looking to proactively improve your IR plans
Stop breaches with the best response and detection technology on the market and reduce clients’ downtime and claim costs
Grow your business and protect your customers with the best-in-class complete, multilayered security
Stand out to customers with competency endorsements that showcase your expertise
Deliver modern security operations services with our industry-leading XDR
Partner with a leading expert in cybersecurity, leverage proven solutions designed for MSPs
We work with the best to help you optimize performance and value
Discover resources designed to accelerate your business’s growth and enhance your capabilities as a Trend Micro partner
Accelerate your learning with Trend Campus, an easy-to-use education platform that offers personalized technical guidance
Access collaborative services designed to help you showcase the value of Trend Vision One™ and grow your business
Locate a partner from whom you can purchase Trend Micro solutions
See how Trend outperforms the competition
Crowdstrike provides effective cybersecurity through its cloud-native platform, but its pricing may stretch budgets, especially for organizations seeking cost-effective scalability through a true single platform
Microsoft offers a foundational layer of protection, yet it often requires supplemental solutions to fully address customers' security problems
Palo Alto Networks delivers advanced cybersecurity solutions, but navigating its comprehensive suite can be complex and unlocking all capabilities requires significant investment
Trend Detects NVIDIA AI Toolkit Vulnerability
Learn more >
The Illusion of Choice: Uncovering Electoral Deceptions in the Age of AI
Read report >
Shaping the Future of Attack Surface Management
See how >
2024 Cyber Risk Report
Get the latest insights >
Content has been added to your Folio
APT & Targeted Attacks
We have continued tracking APT-C-36, also known as Blind Eagle, since our research on this threat actor in 2019. We share new findings of APT-C-36’s ongoing spam campaign targeting South American entities.
By: Jaromir Horejsi, Daniel Lunghi Read time: ( words)
Save to Folio
In 2019, we wrote a blog entry about a threat actor, likely based in Colombia, targeting entities in Colombia and other South American countries with spam emails. This threat actor is sometimes referred to as APT-C-36 or Blind Eagle. Since then, we have continued tracking this threat actor. In this blog entry, we share our new findings about APT-C-36’s ongoing spam campaign during that monitoring phase.
APT-C-36 has been known to send phishing emails to various entities in South America using publicly available remote access tools (RATs). Over time, the threat actor switches from one RAT to another. In the past, we have observed that APT-C-36 makes use of RATs such as:
APT-C-36 utilizes different ruses for their targets: Many of the fraudulent emails impersonate Colombia’s national directorate of taxes and customs, Dirección de Impuestos y Aduanas Nacionales (DIAN), a lure that the threat actor has used before. Such emails claim that a “seizure order to bank account has been issued,” further details are contained in the email attachment, and that the information is protected with password “dian” (Figure 1). In English, the attachment means “seizure order.pdf” and the email body translates to the following:
“Subject: we have sent a seizure order to the bank accounts matching your name
Dear taxpayer,
For your information, our intelligent IT system detected that your income statement at the Direccion de Impuestos y Aduanas DIAN has 180 days of arrears. For that reason, we will proceed as stated in the law, article 823 until 843-2.
We attach the information and your debt with the password : dian"
Other fake emails in this campaign claim to contain a photo that would prove that the recipient’s partner is having an affair. In a similar fashion, the recipient is asked to open the email attachment named “attached picture.jpg” and use the password “foto” to view its contents (Figure 2). These emails lack proper punctuation and are badly written, which is a common feature in phishing attempts. In English, the email translates to the following:
“Hi how are you, I hope you’re fine. I write this email to you as I don’t dare telling you directly. Everyone knows except you, open your eyes, you are being cheated on and I don’t like how others are laughing about you. I experienced a similar situation, that’s why I don’t like someone doing it to another person. You know me well, I prefer not to make trouble. I attached a picture where they are kissing, I know it’s hard to look at, but it is better than to live a relationship where you believe it is all fine.
The picture was too big so I compressed it, you need Winzip or Winrar installed. I will write another email in the following says, I have more things to tell you.
I uploaded the picture with a password to avoid other people to look at it. The password is: foto".”
The sender’s email address is either a spoofed address impersonating DIAN, or a Hotmail.com address impersonating a fake female profile. The originating IP addresses always belong to a VPN provider.
The delivery documents in these phishing emails are either a PDF file or DOCX file containing a link. We have found samples of these documents impersonating DIAN (Figure 3), and others impersonating Google Photos (Figure 4).
Hovering over the link will show that the link was generated from a URL shortener. As discussed in our last blog entry on this threat actor, APT-C-36 uses URL shorteners such as cort.as, acortaurl.com and gtly.to. These URL shorteners are capable of geographical targeting, so if a user from a country not targeted by the threat actors clicks on the link, they will be redirected to a legitimate website. The URL shorteners also have the ability to detect the major VPN services, in which case, the shortened link leads the users to a legitimate website instead of redirecting them to the malicious link, as illustrated in Figures 5 and 6.
However, if the location criteria are met, then the user is redirected to a file hosting server and a file is automatically downloaded (Figure 7).
The downloaded file is a password-protected archive, the password for which is mentioned in the email, the email attachment, or both. These passwords are usually simple, such as “dian,” “foto,” or “1234.”
After deobfuscating the executable file within the password-protected archive, we are presented with a RAT called BitRAT. This RAT is not new, it has been previously analyzed by security researchers.
Upon analyzing the RAT, the most interesting part of this RAT is its configuration settings seen as an encrypted block of data (Figure 8). There are two hexadecimal strings within the main executable file in BitRAT: the longer string is the encrypted configuration, the shorter one is the first part of the key.
Unlike most other malware, BitRAT uses the Camellia cipher with an initialization vector (IV) of 0000000000000000.
Several computational steps are needed to obtain the final key. First, a magic value is computed from bytes found on fixed addresses, as shown in Figures 9 and 10.
Each byte is transformed using a simple computation formula, as shown below:
((((value-0x 08)*0x25) %0x7f)+ 0x7f)% 0x7f
This formula can be used to compute for the magic value through the following process:
The configuration is decrypted to the following string, as shown in Figure 11, including a command-and-control (C&C) server and a port.
The majority of the targets we discovered were located in Colombia, although some were from other South American countries such as Ecuador, Spain, and Panama. This is consistent with the use of Spanish in spear-phishing emails.
Although APT-C-36’s objective remains unclear, we posit that the threat actor carried out this campaign for financial gain. The campaign has affected multiple industries, primarily government, financial, and healthcare entities. We have also seen the campaign affect the finance, telecommunications, and energy, oil and gas industries.
Over the course of this investigation, we have found various new tactics, techniques, and procedures (TTPs) used by APT-C-36. Our research shows that they modify their methods frequently, as evidenced by their use of different link shorteners and RATs. While spear-phishing emails are the initial infection vector for this ongoing campaign, the threat actor is constantly changing their payloads and improving their techniques to avoid detection, such as their use of geolocation filtering.
APT-C-36 selects their targets based on location and most likely the financial standing of the email recipient. These, and the prevalence of the emails, lead us to conclude that the threat actor’s ultimate goal is financial gain rather than espionage.
Threat actors like APT-C-36 are constantly seeking new ways to deploy their malware and stay one step ahead of their victims’ defenses. To secure their data from spear-phishing attempts, companies can benefit from tools such as the Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security solutions, which protect end-users and businesses from these kinds of threats by detecting and blocking malicious files, spam messages, and malicious URLs. They can also turn to tools like Trend Micro™ Email Security, a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.
You can access the link here for the full list of IOCs.
Jaromir Horejsi
Threat Researcher
Daniel Lunghi
Threat Researcher
Experience our unified platform for free
Country Headquarters
Trend Micro – United States (US)
225 East John Carpenter Freeway
Suite 1500
Irving, Texas 75062
Phone: +1 (817) 569-8900
Select a country / region
Privacy | Legal | Accessibility | Site map
Copyright ©2024 Trend Micro Incorporated. All rights reserved
Copyright ©2024 Trend Micro Incorporated. All rights reserved
