In a sophisticated cyberattack campaign, malicious actors impersonating Colombian government agencies target individuals across Latin America.
The attackers are distributing emails containing PDF attachments, falsely accusing recipients of traffic violations or other legal infractions.
These deceptive communications are designed to coerce victims into downloading an archive that harbors a VBS script, initiating a multi-stage infection process.
Upon execution, the obfuscated VBS script triggers a PowerShell script, retrieving the final malware payload from legitimate online storage services through a two-step request process.
Infection Process
According to the ANY.RUN report was shared with GBHackers on Security; initially, the script acquires the payload’s address from resources such as textbin.net. It then proceeds to download and execute the payload from the provided address, which could be hosted on various platforms including cdn.discordapp(.)com, pasteio(.)com, hidrive.ionos.com, and wtools.io.
The attackers’ execution chain follows a sequence from PDF to ZIP, then to VBS and PowerShell, and finally to the executable file (EXE).
The culminating payload is identified as one of several known remote access trojans (RATs), specifically AsyncRAT, njRAT, or Remcos.
These malicious programs are notorious for their ability to provide unauthorized remote access to the infected systems, posing significant risks to the victims’ privacy and data security.
Here are some notable samples of this campaign: 1, 2, 3, 4.
This campaign has been meticulously documented, with over 50 operation samples being analyzed.
Cybersecurity professionals and researchers are encouraged to consult the TI Lookup tool for detailed information on these samples, aiding in identifying and mitigating threats related to this campaign.
The Cyberspace Battlefield: A Contemporary Look at Weaponized Cyber Warfare
The technique demonstrated by the attackers in this campaign is not exclusive to Latin American targets and may be adapted for use against various targets in other regions.
The cybersecurity community is urged to remain vigilant and employ robust security measures to protect against such sophisticated threats.
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
