\u00a0<\/span><\/td>\n<\/tr>\n\n| Adversary\u00a0<\/span><\/td>\n | APT-C-36 previous campaigns \/ APT-C-36 current campaign<\/td>\n | Password protected compressed file to distribute the first dropper.<\/td>\n<\/tr>\n |
\n| TTP\u00a0<\/span><\/td>\n | T1566.001 – Phishing: Spearphishing Attachment<\/td>\n<\/tr>\n |
\n| Infrastructure\u00a0<\/span><\/td>\n | Password protected compressed file<\/td>\n<\/tr>\n |
\n| Victim\u00a0<\/span><\/td>\n | Colombian users and organizations<\/td>\n<\/tr>\n |
\n| Adversary\u00a0<\/span><\/td>\n | APT-C-36 previous campaigns \/ APT-C-36 current campaign\u00a0<\/span><\/td>\n | PDF file for the victim to download the first stage of infection chain.
\nAccording to public investigations, related emails used to attack the Colombian government, financial institutions and large companies have been found.<\/td>\n<\/tr>\n |
\n| TTP\u00a0<\/span><\/td>\n | T1566.001 – Phishing: Spearphishing Attachment<\/td>\n<\/tr>\n |
\n| Infrastructure\u00a0<\/span><\/td>\n | PDF file or Maldoc impersonating the \u201cFiscal\u00eda General de la Naci\u00f3n.<\/td>\n<\/tr>\n |
\n| Victim\u00a0<\/span><\/td>\n | Previous campaigns: Colombian users and organizations
\nCurrent campaigns: Users in Colombia<\/td>\n<\/tr>\n |
\n| Adversary\u00a0<\/span><\/td>\n | APT-C-36 previous campaigns \/ APT-C-36 current campaign\u00a0<\/span><\/td>\n | Based on public research and the TTPs observed by SCILabs, the adversaries use JavaScript, Visual Basic Script, and PowerShell for the different stages of infection.<\/td>\n<\/tr>\n |
\n| TTP\u00a0<\/span><\/td>\n | T1059 \u2013 Command and Scripting Interpreter<\/td>\n<\/tr>\n |
\n| Infrastructure\u00a0<\/span><\/td>\n | Development of artifacts using scripting languages like Visual Basic Script, PowerShell, and JavaScript. Additionally, the use of commodity RATs like njRAT<\/td>\n<\/tr>\n |
\n| Victim\u00a0<\/span><\/td>\n | Previous campaigns: Colombian users and organizations\u00a0Current campaigns: Users in Colombia<\/td>\n<\/tr>\n |
\n| Adversary\u00a0<\/span><\/td>\n | APT-C-36 previous campaigns \/ APT-C-36 current campaign\u00a0<\/span><\/td>\n | Attackers often download encrypted text files from external systems containing embedded artifacts such as commodity RATs or DLL injectors to deploy the malware.<\/td>\n<\/tr>\n |
\n| TTP\u00a0<\/span><\/td>\n | T1105 \u2013 Ingress Tool Transfer<\/td>\n<\/tr>\n |
\n| Infrastructure\u00a0<\/span><\/td>\n | njRAT version 0.7NC
\nGeneric DLL injector
\nMalware Parameters<\/td>\n<\/tr>\n |
<\/tr>\n
<\/tr>\n
\n| Victim\u00a0<\/span><\/td>\n | Previous campaigns: Colombian users and organizations
\nCurrent campaigns: Users in Colombia<\/td>\n<\/tr>\n |
<\/tr>\n
\n| Adversary\u00a0<\/span><\/td>\n | APT-C-36 previous campaigns \/ APT-C-36 current campaign\u00a0<\/span><\/td>\n | Attackers uses non-standard ports to their c2 servers.<\/td>\n<\/tr>\n |
\n| TTP\u00a0<\/span><\/td>\n | T1571 \u2013 Non-Standard Port<\/td>\n<\/tr>\n |
\n| Infrastructure\u00a0<\/span><\/td>\n | Previous campaigns ports: 57831, 2050, 57831
\nCurrent campaign: 2001<\/td>\n<\/tr>\n |
<\/tr>\n
\n| Victim\u00a0<\/span><\/td>\n | Previous campaigns: Colombian users and organizations
\nCurrent campaigns: Users in Colombia<\/td>\n<\/tr>\n |
<\/tr>\n
\n| Adversary\u00a0<\/span><\/td>\n | APT-C-36 previous campaigns \/ APT-C-36 current campaign\u00a0<\/span><\/td>\n | Adversaries use obfuscated code throughout the infection chain, using plain text files as the primary means of storing payloads and commands.
\nThey often use base64 algorithms and replacement of letters or special characters in obfuscated payloads.<\/td>\n<\/tr>\n |
\n| TTP\u00a0<\/span><\/td>\n | T1027 \u2013 Obfuscated Files or Information<\/td>\n<\/tr>\n |
\n| Infrastructure\u00a0<\/span><\/td>\n | BASE64 algorithms
\nReplacing letters and special chars
\nTheir own functions to obfuscate data<\/td>\n<\/tr>\n |
<\/tr>\n
<\/tr>\n
\n| Victim\u00a0<\/span><\/td>\n | Previous campaigns: Colombian users and organizations
\nCurrent campaigns: Users in Colombia<\/td>\n<\/tr>\n |
<\/tr>\n
\n| Adversary\u00a0<\/span><\/td>\n | APT-C-36 previous campaigns \/ APT-C-36 current campaign\u00a0<\/span><\/td>\n | Attackers have used the commodity RAT njRAT.<\/td>\n<\/tr>\n |
\n| TTP\u00a0<\/span><\/td>\n | T1588.002 \u2013 Obtain Capabilities Tool<\/td>\n<\/tr>\n |
\n| Infrastructure\u00a0<\/span><\/td>\n | njRAT<\/td>\n<\/tr>\n |
\n| Victim\u00a0<\/span><\/td>\n | Previous campaigns: Colombian users and organizations
\nCurrent campaigns: Users in Colombia<\/td>\n<\/tr>\n |
<\/tr>\n
\n| Adversary\u00a0<\/span><\/td>\n | APT-C-36 previous campaigns \/ APT-C-36 current campaign\u00a0<\/span><\/td>\n | The attackers use a .vbs script in the Windows Startup folder to generate persistence.<\/td>\n<\/tr>\n |
\n| TTP\u00a0<\/span><\/td>\n | T1547.001 Boot or Logon Auto start Execution: Registry Run Keys \/ Startup Folder<\/td>\n<\/tr>\n |
\n| Infrastructure\u00a0<\/span><\/td>\n | VBS script in the Windows Startup folder to generate persistence<\/td>\n<\/tr>\n |
\n| Victim\u00a0<\/span><\/td>\n | Previous campaigns: Colombian users and organizations
\nCurrent campaigns: Users in Colombia<\/td>\n<\/tr>\n |
<\/tr>\n
\n| Adversary\u00a0<\/span><\/td>\n | APT-C-36 previous campaigns \/ APT-C-36 current campaign\u00a0<\/span><\/td>\n | In recent campaigns, adversaries have used domains from the Duckdns service via the HTTP protocol to communicate with the c2 server.<\/td>\n<\/tr>\n |
\n| TTP\u00a0<\/span><\/td>\n | T1071.001 \u2013 Application Layer Protocol: Web Protocols<\/td>\n<\/tr>\n |
\n| Infrastructure\u00a0<\/span><\/td>\n | Duckdns domains<\/td>\n<\/tr>\n |
\n| Victim\u00a0<\/span><\/td>\n | Previous campaigns: Colombian users and organizations
\nCurrent campaigns: Users in Colombia<\/td>\n<\/tr>\n |
<\/tr>\n<\/tbody>\n<\/table>\nIn this exercise, the overlaps between the infrastructure vertices and capabilities\/TTPs of the diamond model can be observed, complying with the rule of 2 and supporting that the adversary behind this campaign is probably APT-C-36<\/strong>. SCILabs will continue to monitor these campaigns to obtain more elements that allow raising the level of certainty of the attribution.<\/p>\nTTPs observed aligned to MITRE’s ATT&CK framework<\/h1>\n
![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/07\/Imagen7.png\")
<\/p>\n
Assessment<\/h1>\n
The APT-C-36 threat group is characterized by using commodity RATs such as njRAT; however, SCILabs has identified that the artifacts used during the infection chain have a shallow detection rate by commercial antivirus solutions. Additionally, they are constantly adjusting their artifacts, such as using .vbs files instead of JavaScript files and using different PDF templates or pretexts in their emails to evade the anti-spam protections.<\/p>\n
This adversary employs fileless and living off the land techniques, uses legitimate servers like OneDrive and Discord to store malicious artifacts, and various obfuscation and encryption algorithms. This can make it difficult for security solutions to identify malicious behavior easily; for this reason, it is important for organizations to perform threat hunting on organizations’ endpoints and workstations considering directories, registry keys, and executables as those mentioned in this report.<\/p>\n
These characteristics make this adversary a focus of attention because SCILabs considers that attackers could begin to consider in the future attacking victims in other countries such as Mexico in all kinds of organizations. Therefore, for SCILabs it is important that organizations are up to date on the TTPs used by this adversary and that could be copied by other cybercriminal groups to carry out more destructive attacks.<\/p>\n
We believe that the ideal victims of this type of campaign are the organizations that do not pay special attention to behavioral indicators and that do not know in detail the stages of the infection chain of this type of attack. SCILabs believes that this adversary will continue to use commodity RATs and will continue to target LATAM; however, based on our telemetry, cybercriminals will continue to modify their artifacts to improve their effectiveness.<\/p>\n
IOCs<\/h1>\n
386CEAFDE6870930B4C0C0FAF3274A7A<\/p>\n
C86433C0F61D1DF61208B2CFCA02543F<\/p>\n
F967C869142E3242BFCA0E9C38CDD6FD<\/p>\n
324DB54A7DF625B2CBF6B75E9EFEC140<\/p>\n
2BB9168601ED09F975041B3E5593A764<\/p>\n
889BDEAF65D152BEC9512A768B73CB5A<\/p>\n
08FBA67E620C5AF2C4738EAB767A78D5<\/p>\n
HXXPS[:]\/\/ONEDRIVE[.]LIVE[.]COM\/DOWNLOAD?CID=7F3ACF9F2D72D5A5&RESID=7F3ACF9F2D72D5A5%21827&AUTHKEY=AMZ2CWHP91GKHCI<\/p>\n
HXXPS[:]\/\/CDN[.]DISCORDAPP[.]COM\/ATTACHMENTS\/911673301896691753\/976527856819646504\/MIO18MAYOMIO[.]TXT<\/p>\n
1204ABRIL[.]DUCKDNS[.]ORG[:]2001<\/p>\n
ABRIL[.]DUCKDNS[.]ORG<\/p>\n
HKCU:\\SOFTWARE\\bf02403cd3e34e50a6f<\/p>\n
HKCU:\\SOFTWARE \\wow6432node\\Microsoft\\WindowsUpdate<\/p>\n","protected":false},"excerpt":{"rendered":"
Overview The following report provides the TTPs,and IOCs identified in a malware campaign impersonating the \u201cFiscal\u00eda General de la Naci\u00f3n\u201d<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[15,18],"class_list":["post-167","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-malware","tag-trojan"],"_links":{"self":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/comments?post=167"}],"version-history":[{"count":0,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/167\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/media?parent=167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/categories?post=167"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/tags?post=167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/07\/Imagen1.png\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/07\/Imagen2.png\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/07\/Imagen3.png\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/07\/Imagen4.png\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/07\/Imagen5.png\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/07\/Imagen6.png\")
<\/p>\n![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2022\/07\/Imagen8.png\")
<\/p>\n