{"id":623,"date":"2024-05-27T23:37:28","date_gmt":"2024-05-27T23:37:28","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=623"},"modified":"2024-05-27T23:37:28","modified_gmt":"2024-05-27T23:37:28","slug":"red-akodon-a-new-threat-actor-distributing-rat-to-colombia","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2024\/05\/27\/red-akodon-a-new-threat-actor-distributing-rat-to-colombia\/","title":{"rendered":"Red Akodon, a new threat actor distributing RAT to Colombia"},"content":{"rendered":"<h1><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-649 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Logotipo.png\" alt=\"\" width=\"260\" height=\"351\" \/><\/h1>\n<h1><a name=\"_Toc166527255\"><\/a>Overview<\/h1>\n<p>The purpose of this report is to highlight a new threat actor that SCILabs identified and profiled during April 2024. This actor has been observed impersonating organizations, primarily government entities from Colombia.\u00a0The information and indicators of compromise were obtained\u00a0through threat-hunting activities, malware analysis, and intelligence processes in public and private sources.<\/p>\n<p>Due to its behavior and characteristics, SCILabs named it <em>Red Akodon<\/em>. This threat actor targets users of all types in Colombia, including public and private organizations employees, to steal confidential information such as bank accounts details, e-mail accounts, social media credentials, and access to corporate portals, among others, using remote access trojans (<a href=\"https:\/\/www.proofpoint.com\/es\/threat-reference\/remote-access-trojan\">RAT<\/a>) like <a href=\"https:\/\/success.trendmicro.com\/dcx\/s\/solution\/1123281-remcos-malware-information?language=en_US&amp;sfdcIFrameOrigin=null\"><em>RemcosRAT<\/em><\/a>, <a href=\"https:\/\/csirtasobancaria.com\/alertas-de-seguridad\/la-evolucion-de-quasar-rat-nuevas-tecnicas-de-infeccion\"><em>QasarRat<\/em><\/a>, <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.asyncrat\"><em>AsyncRAT<\/em><\/a>, and, <a href=\"https:\/\/thehackernews.com\/2023\/05\/xworm-malware-exploits-follina.html\"><em>XWorm<\/em><\/a>. <em>Red Akodon<\/em>&#8216;s initial access vector occurs mainly using phishing emails, which are used as a pretext for alleged lawsuits and judicial summonses, apparently coming from Colombian institutions such as the <em>Fiscal\u00eda General de la Naci\u00f3n<\/em> and <em>Juzgado 06 civil del circuito de Bogot\u00e1<\/em>.<\/p>\n<p>According to SCILabs\u2019 research, <em>Red Akodon<\/em> has operated mainly in Colombia since April 2024, gradually increasing its activity since its first appearance. It has made small but constant changes to its infrastructure (such as its command-and-control servers or its malware download) and has used TTP to evade security solutions and make it difficult for cyber threat researchers to analyze.<a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<p>&nbsp;<\/p>\n<h1><a name=\"_Toc166527256\"><\/a>Region of operation<\/h1>\n<p>After conducting threat hunting and intelligence processes on public and private sources, SCILabs determined with a high confidence level that <em>Red Akodon<\/em> attacks have primarily affected Colombia.<\/p>\n<p>To date, no campaigns have been identified affecting another region of LATAM or the world; however, SCILabs has the hypothesis, based on experience, that it is highly likely that this threat actor will spread the distribution of its campaigns to other Latin American countries in the future.<\/p>\n<p>The following map shows <em>Red Akodon<\/em>&#8216;s main operating region (highlighted in red), and its future potential target countries (highlighted in green).<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-650 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Mapa.jpg\" alt=\"\" width=\"339\" height=\"444\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 1. <em>Red Akodon&#8217;s<\/em> operating region<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>Below is the chronology of the most relevant activity of <em>Red Akodon<\/em>, according to the campaigns identified by SCILabs during April 2024. It is\u00a0important\u00a0to mention that, over time, the infrastructure and artifacts operated by this threat actor have experienced constant changes. Thus, for the following example\u00a0the most outstanding activity observed so far was considered.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-653 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/TimelineEng.png\" alt=\"\" width=\"1053\" height=\"393\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 2. <em>Red Akodon&#8217;s<\/em> most relevant activity<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h1><a name=\"_Toc166527257\"><\/a>Who is affected?<\/h1>\n<p>During the investigation, SCILabs identified that this threat actor&#8217;s campaigns primarily target Colombia. Although it did not appear to target any specific sector, it may affect public and private organizations of any industry, for example:<\/p>\n<ul>\n<li>Public organizations in industries such as:\n<ul>\n<li>Government<\/li>\n<li>Health<\/li>\n<li>Education<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Private organizations in industries such as:\n<ul>\n<li>Financial<\/li>\n<li>Manufacturing<\/li>\n<li>Food<\/li>\n<li>Services<\/li>\n<li>Transportation<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h1><a name=\"_Toc80194999\"><\/a><a name=\"_Toc166527258\"><\/a>How can this affect an organization?<\/h1>\n<p><em>Red Akodon\u2019s<\/em> main goal is to steal all types of information (including highly sensitive data from multiple users, as well as logging the activity of their keyboard, screen and mouse). The victims can be employees of any kind of public and private organizations.<\/p>\n<p>Considering the information above and taking into account that the intention of this threat actor campaign intends to infect victims with Trojans which are designed for logging and tracking devices remotely, a successful attack could result in the compromise of sensitive information that could be used maliciously by cybercriminals, leaking it or selling it within clandestine forums on the Dark Web or in the black market, to then use it to carry out more sophisticated and dangerous attacks such as ransomware, which can put at risk the integrity, confidentiality, and availability of the organization&#8217;s information, not mentioning that it may cause financial and reputational losses.<\/p>\n<p>&nbsp;<\/p>\n<h1><a name=\"_Toc166527259\"><\/a>Analysis<\/h1>\n<h2><strong>Threat context<\/strong><\/h2>\n<p>During April 2024, through monitoring and threat-hunting processes, SCILabs identified several phishing emails aimed mainly at users in Colombia, which used an alleged lawsuit on behalf of the victim as a pretext.\u00a0Two email variants were identified: the first contains a hyperlink to a DOCX-type file hosted on Drive; the second includes an attached SVG file which is also an alleged Word file, like in the first e-mail, but it is actually an image with a hyperlink inside.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-626 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen3.jpg\" alt=\"\" width=\"401\" height=\"241\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 3. Mail used by <em>Red Akodon<\/em> with a malicious link<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-627 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen4.jpg\" alt=\"\" width=\"643\" height=\"270\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 4. Mail used by <em>Red Akadon<\/em> with a malicious SVG file<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>It is important to mention that no email <a href=\"https:\/\/www.proofpoint.com\/es\/threat-reference\/email-spoofing\">spoofing<\/a> techniques were identified and that the accounts from which the phishing emails were sent have domains that belong to agencies of the Colombian government (gov.co) and legitimate companies of the same country.<\/p>\n<p>SCILabs conducted an investigation and identified several posts on underground forums, where compromised credentials of domains related to the analyzed malware campaigns were found. According to these publications, the credentials were obtained through the infostealers <a href=\"https:\/\/www.proofpoint.com\/es\/threat-reference\/email-spoofing\"><em>RisePro<\/em><\/a> \u00a0and <a href=\"https:\/\/www.checkpoint.com\/es\/cyber-hub\/threat-prevention\/what-is-malware\/what-is-vidar-malware\/\"><em>Vidar<\/em><\/a>.<\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><a href=\"#_ftnref2\" name=\"_ftn2\"><\/a> <a href=\"#_ftnref3\" name=\"_ftn3\"><\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-628 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen5.jpg\" alt=\"\" width=\"574\" height=\"298\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 5. Post in a clandestine forum with credentials for sale of the domain magdalena[.]gov[.]co<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Technical overview<\/strong><\/h2>\n<h3><strong>First campaign identified <\/strong><\/h3>\n<p>In the first campaign identified by SCILabs, the email contains a link with an alleged .docx file related to a lawsuit. If the user clicks on it, they\u00a0are redirected\u00a0to a Google Drive or OneDrive repository where a preview of an Office Word document\u00a0is displayed\u00a0in which more details of the alleged lawsuit are shared, and which contains a URL for downloading an additional file protected\u00a0with a password (shared\u00a0within the document).<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-629 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen6.jpg\" alt=\"\" width=\"741\" height=\"401\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 6. DOCX document formatted as a supposed lawsuit<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>If the user clicks on the link \u201cDESCARGAR DEMANDA\u201d, the download of a .zip-type compressed file from a GitHub repository begins. During the investigation,\u00a0multiple active campaigns were identified\u00a0in different\u00a0 repositories, such as advertising, filed, judicial, demand, receipt, and files.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-630 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen7.jpg\" alt=\"\" width=\"776\" height=\"504\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 7. GitHub repositories used by <em>Red Akadon<\/em> (top) and ZIP archives stored in the repositories (bottom)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>Additionally, the compressed file contains a folder with the same name, which is a directory that includes the following files:<\/p>\n<ul>\n<li><strong>01 CITACION DEMANDA.exe<\/strong>: <a href=\"https:\/\/customerconnect.vmware.com\/en\/downloads\/info\/slug\/datacenter_cloud_infrastructure\/vmware_tools\/12_x\">VMWare Tools<\/a> legitimate executable<\/li>\n<li><strong>glib-2.0.dll<\/strong>: Biblioteca maliciosa encargada de inyectar <a href=\"https:\/\/www.blackberry.com\/us\/en\/solutions\/endpoint-security\/ransomware-protection\/asyncrat\"><em>AsyncRAT<\/em> <\/a>en el proceso MSBuild.exe<\/li>\n<li><strong>gmodule-2.0.dll<\/strong>: <a href=\"https:\/\/docs.gtk.org\/glib\/\">GLib<\/a> legitimate library<\/li>\n<li><strong>gobject-2.0.dll<\/strong>: Glib legitimate library<\/li>\n<li><strong>gthread-2.0.dll<\/strong>: Glib legitimate library<\/li>\n<li><strong>dll<\/strong>: Legitimate library for the use of icons<\/li>\n<li><strong>dll<\/strong>: Windows legitimate library<\/li>\n<li><strong>dll<\/strong>: VMWare legitimate library<\/li>\n<li><strong>html<\/strong>: HTML type file. No malicious behavior was identified during the analysis<a href=\"#_ftnref3\" name=\"_ftn3\"><\/a><a href=\"#_ftnref6\" name=\"_ftn6\"><\/a><\/li>\n<\/ul>\n<p><a href=\"#_ftnref7\" name=\"_ftn7\"><\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-631 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen8.jpg\" alt=\"\" width=\"451\" height=\"192\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 8. Content of the downloaded compressed file<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>In one of the campaigns identified by SCILabs, the zip file also contains a folder with a legitimate executable WinZIP; however, it was not observed\u00a0to\u00a0be used\u00a0at any stage of the infection chain.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-632 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen9.jpg\" alt=\"\" width=\"614\" height=\"251\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 9. Digital signature of the WinZip28.exe file<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>If the user executes the file <strong>01 CITACION DEMANDA.exe<\/strong>, the infection chain begins by exploiting a <a href=\"https:\/\/www.elladodelmal.com\/2021\/04\/que-es-una-dll-y-en-que-consiste-el-dll.html\">DLL-hijacking<\/a> vulnerability contained in the VMWare executable to inject the <em>AsyncRAT<\/em> malware into the legitimate MSBuild.exe process. This technique has been observed in the past and documented in public <a href=\"https:\/\/www.anomali.com\/blog\/threat-actors-use-msbuild-to-deliver-rats-filelessly\">investigations<\/a>.<a href=\"#_ftnref7\" name=\"_ftn7\"><\/a><a href=\"#_ftnref8\" name=\"_ftn8\"><\/a> <a href=\"#_ftnref9\" name=\"_ftn9\"><\/a><\/p>\n<p>During the execution, a connection to <strong>melo2024[.]kozow[.]com<\/strong> was detected, and the text string \u201cAsyncRAT Server\u201d could be observed in the request.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-633 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen10.jpg\" alt=\"\" width=\"621\" height=\"120\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 10. Content of the request observed during the analysis<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>Furthermore, the memory of the created process identified the text string \u201cCRACKED BY hxxps[:]\/\/t[.]me\/xworm_v2\u201d. The URL belongs to a Telegram group where multiple RATs are distributed, including <em>AsyncRAT<\/em>, <em>RemcosRAT<\/em>, and various versions of <em>XWorm<\/em>.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-634 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen11.jpg\" alt=\"\" width=\"571\" height=\"107\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 11. Strings observed in the memory of the MSBuild.exe process<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-635 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen12.jpg\" alt=\"\" width=\"264\" height=\"368\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 12. RATs distributed by the Telegram group<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>SCILabs also observed the execution of the <strong>taskkill.exe \/im\u00a0cmstp.exe \/f<\/strong> command to disable UAC (<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/application-security\/application-control\/user-account-control\/how-it-works\">User Account Control<\/a>), which grants administrator privileges\u00a0without user authorization.<\/p>\n<p><a href=\"#_ftnref10\" name=\"_ftn10\"><\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-636 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen13.png\" alt=\"\" width=\"910\" height=\"120\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 13. Command executed for UAC deactivation<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>The malware operated by <em>Red Akodon<\/em> executes a PowerShell script stored in <em>C:\\Users\\Public<\/em> to configure Windows Defender exclusions, avoiding certain processes and directories on the system and stopping the process <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/administration\/windows-commands\/cmstp\">cmstp.exe<\/a>.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-637 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen14.png\" alt=\"\" width=\"524\" height=\"204\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 14. Script used to change Windows Defender settings<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p><em>Red Akodon<\/em> performs persistence generation by creating shortcuts in the Windows Start menu directory and a scheduled task that runs the legitimate VMWare file.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-638 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen15.png\" alt=\"\" width=\"943\" height=\"331\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 15. Persistence created in the Windows start menu (top) and task scheduled for dropper execution (bottom)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>Once the <em>AsyncRAT<\/em> malware\u00a0is injected\u00a0into the MSBuild.exe process, it collects information from the infected computer and downloads additional Trojans. During the analysis of this campaign,\u00a0the installation of the <a href=\"https:\/\/breakingsecurity.net\/remcos\/\"><em>RemcosRAT<\/em> <\/a>and <em><a href=\"https:\/\/www.broadcom.com\/support\/security-center\/protection-bulletin\/2nd-covid-outbreak-warning-email-brings-qasarrat\">Quasar<\/a> <\/em>Trojans was observed.<\/p>\n<p>SCILabs has the hypothesis that\u00a0<em>Red Akodon<\/em> installs different Trojans to have multiple mechanisms for information theft.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-639 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen16.png\" alt=\"\" width=\"1105\" height=\"149\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 16. <em>RemcosRAT<\/em> and <em>Quasar<\/em> execution<\/strong><\/p>\n<p><a href=\"#_ftnref10\" name=\"_ftn10\"><\/a><a href=\"#_ftnref12\" name=\"_ftn12\"><\/a><\/p>\n<p>In the specific case of <em>RemcosRAT<\/em>, it is installed in the path <em>C:\\ProgramData\\Remcos\\,<\/em> and creates a registry key to add it to the Windows Start menu.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-640 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen17.png\" alt=\"\" width=\"1042\" height=\"149\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 17. <em>RemcosRAT<\/em> installation path<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-641 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen18.png\" alt=\"\" width=\"1075\" height=\"145\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 18. Registry key created for persistence<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>The following table shows the parameters\u00a0found\u00a0when analyzing the <em>RemcosRAT<\/em> samples installed in this campaign.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-654 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Table1.png\" alt=\"\" width=\"665\" height=\"149\" \/><\/p>\n<p style=\"text-align: center\"><strong>Table 1. <em>RemcosRAT <\/em>parameters<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>On the other hand, <em>Quasar<\/em>\u00a0is stored\u00a0in <em>%TEMP%;<\/em> however,\u00a0no persistence methods were identified\u00a0for this malware. SCILabs hypothesizes that the execution is triggered from the MSBuild.exe process since there are text strings in the process memory with the path of this executable.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-642 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen19.png\" alt=\"\" width=\"595\" height=\"93\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 19. Strings found in the process MSBuild.exe<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>The following table shows the parameters when analyzing the <em>Quasar<\/em> samples installed in this campaign.<\/p>\n<p>&nbsp;<\/p>\n<p><strong> <img loading=\"lazy\" decoding=\"async\" class=\"wp-image-655 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Table2.png\" alt=\"\" width=\"673\" height=\"150\" \/><\/strong><\/p>\n<p style=\"text-align: center\"><strong>Table 2. <em>Quasar <\/em>parameters<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>In addition to installing the Trojans, there is a download of multiple artifacts which seem to be legitimate files but contain the <a href=\"https:\/\/es.gridinsoft.com\/online-virus-scanner\/id\/907ca6d311ca53125aa321e39a288adae25fd45eef884dafe8d88aa9547e9fe9\"><em>Neshta<\/em> <\/a>malware. This malware aims to modify sections of an executable file and load malicious code. The executable is stored in <em>C:\\Windows<\/em> with the name svchost.com and creates a registry key that tells the system to run the <em>Neshta<\/em> artifact every time an EXE-type file\u00a0is opened. When a program\u00a0is executed, the original file\u00a0is sent\u00a0to the path <em>%TEMP%\\3582-490.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-643 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen20.png\" alt=\"\" width=\"1123\" height=\"215\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 20. <em>Neshta<\/em> artifacts downloaded during infection<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-644 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen21.png\" alt=\"\" width=\"1139\" height=\"114\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 21. Registration key created by <em>Neshta<\/em><\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-645 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen22.png\" alt=\"\" width=\"901\" height=\"424\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 22. Directory where the original executables are stored after their sections were modified<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>The IObit Unlocker software installation was also observed in path <em>C:\\ProgramData\\<a href=\"https:\/\/www.iobit.com\/en\/iobit-unlocker.php\">IObitUnlocker<\/a><\/em>. This program offers file management functionalities, such as deleting, renaming, moving, and copying any file, regardless of whether another program uses it. Yet, it is important to mention that some security solutions on <a href=\"https:\/\/www.virustotal.com\/gui\/file\/0a507a553010c19369f17b649c5ffe6060216480059062ff75241944cf729bd7\/detection\">VirusTotal<\/a> classify this software as a PUA (Potentially Unwanted Application).<\/p>\n<p><a href=\"#_ftnref13\" name=\"_ftn13\"><\/a><a href=\"#_ftnref15\" name=\"_ftn15\"><\/a> <a href=\"#_ftnref16\" name=\"_ftn16\"><\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-646 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen23.png\" alt=\"\" width=\"1188\" height=\"211\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 23. IObit Unlocker installation path<\/strong><\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<h3><strong>Second campaign identified<\/strong><\/h3>\n<p>In the second campaign identified by SCILabs, the email contains an SVG file that seems to be an alleged document of a lawsuit from the <em>Fiscal\u00eda General de la Naci\u00f3n<\/em> of Colombia. Like in the first campaign, the image contains a URL: if the user clicks on it, they\u00a0are redirected\u00a0to a GitHub repository from where the download of a compressed file begins.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-647 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen24.png\" alt=\"\" width=\"668\" height=\"402\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 24. SVG file with the alleged lawsuit<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>Additionally, the compressed file contains a folder with the same name, which is a directory that includes the following files:<\/p>\n<ul>\n<li><strong>04 CITACION DEMANDA.exe<\/strong>: <em>Neshta <\/em>executable file<\/li>\n<li><strong>dll<\/strong>: Malicious library responsible for injecting <em>AsyncRAT<\/em> into the MSBuild.exe process<\/li>\n<li><strong>dll<\/strong>: ASUS legitimate library<\/li>\n<li><strong>dll<\/strong>: ASUS legitimate library<\/li>\n<li><strong>eps<\/strong>: Unknown file, no malicious behavior detected during analysis<\/li>\n<li><strong>ai <\/strong>: Unknown file, no malicious behavior detected during analysis<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-648 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Imagen25.png\" alt=\"\" width=\"1025\" height=\"326\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 25. Contents of the compressed file<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>If the user executes the file <strong>04 CITACION DEMANDA.exe<\/strong>, the infection chain described above begins. It is important to mention that during the analysis, no additional downloads of the <em>Neshta<\/em> malware were identified as in the first campaign analyzed. Hence, SCILabs hypothesizes that this activity is not carried out in this campaign because the dropper is a variant of <em>Neshta<\/em> and already fulfills that function.<\/p>\n<p>&nbsp;<\/p>\n<h1><a name=\"_Toc166527260\"><\/a>Attack flow summary<\/h1>\n<ol>\n<li>The user receives a phishing email from a compromised account belonging to the gov. codomain, using alleged lawsuits and court summons as pretexts.<\/li>\n<li>The email contains an attached SVG file, a OneDrive or a Google Drive hyperlink.<\/li>\n<li>If the user opens the SVG file, they are shown an alleged lawsuit or judicial summons that appears to come from the <em>Fiscal\u00eda General de la Naci\u00f3n<\/em> or from a Colombian court.<\/li>\n<li>If the user clicks on the hyperlinks, they are redirected to a Google Drive or OneDrive repository (as the case may be) containing the supposed lawsuit or judicial summons allegedly coming from the <em>Fiscal\u00eda General de la Naci\u00f3n<\/em>, or any Colombian court.<\/li>\n<li>If the user clicks on &#8220;Descargar una copia de la demanda\u201d (Download a copy of the lawsuit) they are redirected to a GitHub repository\u00a0to\u00a0obtain a compressed file in ZIP or 7ZIP format.<\/li>\n<li>If the user unzips and executes the contents of the previous file, the malicious activity begins.<\/li>\n<li><em>Red Akodon<\/em> injects a variant of <em>AsyncRAT<\/em> into the legitimate Windows MSBuild process, by exploiting DLL-Hijacking\u00a0vulnerabilities in legitimate artifacts mainly related to VMWare,\u00a0or the <em>Neshta<\/em> malware that pretends to be a legitimate software.<\/li>\n<li><em>Red Akodon<\/em> generates persistence using shortcuts in the Windows start menu.<\/li>\n<li><em>Red Akodon<\/em> downloads and installs one or more remote access Trojans.<\/li>\n<li>The RAT begins tracking and logging the keyboard, and screen activity, obtaining all kinds of information from the victim.<\/li>\n<li>The stolen information is shared with the attacker&#8217;s command and control server.<\/li>\n<li>Finally, the attacker can install remote administration tools and perform other tasks, such as downloading additional artifacts and restarting the computer.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<h1><a name=\"_Toc166527261\"><\/a>Attack flow diagram<\/h1>\n<p>The following attack flow was observed by SCILabs from malware analysis.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-656 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/FlowChart.png\" alt=\"\" width=\"1141\" height=\"593\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 26. Diagram of the attack flow identified by SCILabs<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h1><a name=\"_Toc166527262\"><\/a>TTP observed aligned to MITRE ATT&amp;CK\u00ae Framework<\/h1>\n<p>The following TTP matrix based on the MITRE Framework was obtained from malware analysis and intelligence processes in open sources.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-651 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Tabla3.png\" alt=\"\" width=\"936\" height=\"773\" \/><\/p>\n<p style=\"text-align: center\"><strong>Table 3. TTP observed aligned to the MITRE ATT&amp;CK\u00ae framework<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h1><a name=\"_Toc166527263\"><\/a>Diamond model<\/h1>\n<p>The following diamond model was obtained from the malware analysis and intelligence processes in open sources.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-657 aligncenter\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/DiamondModel.png\" alt=\"\" width=\"1041\" height=\"672\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 27. Diamond model identified by SCILabs<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h1><a name=\"_Toc166527264\"><\/a>Attribution<\/h1>\n<p>To make the corresponding attribution and determine with a high level of confidence that this is a new threat actor, SCILabs conducted an in-depth investigation looking for overlaps with other known threats, particularly with <a href=\"https:\/\/blog.scilabs.mx\/malware-campaign-attributed-to-apt-c-36-context-and-iocs-update-june-2022\/\"><em>APT-C-36<\/em><\/a>\u00a0 and <a href=\"https:\/\/www.metabaseq.com\/ta588\/\"><em>TA558<\/em><\/a>, which are highly active threat groups in Colombia.<\/p>\n<p>Below is a table with\u00a0the characteristics of the different threats identified by SCILabs and aligned to the diamond model, whose overlaps with <em>APT-C-36<\/em> are highlighted in <strong>red<\/strong> and with <em>TA558<\/em> in <strong>green<\/strong>.<a href=\"#_ftnref16\" name=\"_ftn16\"><\/a><a href=\"#_ftnref17\" name=\"_ftn17\"><\/a><\/p>\n<p>&nbsp;<\/p>\n<table style=\"height: 1889px\" width=\"1364\">\n<thead>\n<tr>\n<td width=\"152\"><strong>Adversary\/Diamond Model<\/strong><\/td>\n<td width=\"220\"><strong>\u00a0<\/strong><\/td>\n<td width=\"85\"><strong>TA558<\/strong><\/td>\n<td width=\"94\"><strong>APT-C-36<\/strong><\/td>\n<td width=\"94\"><strong><em>Red Akodon<\/em><\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td rowspan=\"8\" width=\"152\"><strong>Infrastructure<\/strong><\/p>\n<p><strong>\u00a0<\/strong><\/td>\n<td width=\"220\">Dynamic domains for their command-and-control servers, primarily DuckDNS<\/td>\n<td width=\"85\"><span style=\"color: #339966\"><strong>Yes<\/strong><\/span><\/td>\n<td width=\"94\"><strong><span style=\"color: #ff0000\">Yes<\/span><\/strong><\/td>\n<td width=\"94\">Yes<\/td>\n<\/tr>\n<tr>\n<td width=\"220\">Dynamic domains for their command-and-control servers, primarily Kozow<\/td>\n<td width=\"85\">No<\/td>\n<td width=\"94\"><strong><span style=\"color: #ff0000\">Yes<\/span><\/strong><\/td>\n<td width=\"94\">Yes<\/td>\n<\/tr>\n<tr>\n<td width=\"220\">Legitimate Colombian government domains (accounts compromised or leaked in the black market or Dark Web), mainly gov.co<\/td>\n<td width=\"85\">No<\/td>\n<td width=\"94\">No<\/td>\n<td width=\"94\">Yes<\/td>\n<\/tr>\n<tr>\n<td width=\"220\">File hosting services, mainly Drive<\/td>\n<td width=\"85\">No<\/td>\n<td width=\"94\">No<\/td>\n<td width=\"94\">Yes<\/td>\n<\/tr>\n<tr>\n<td width=\"220\">File hosting services, mainly OneDrive<\/td>\n<td width=\"85\">No<\/td>\n<td width=\"94\">No<\/td>\n<td width=\"94\">Yes<\/td>\n<\/tr>\n<tr>\n<td width=\"220\">Services used for malware delivery, mainly GitHub<\/td>\n<td width=\"85\">No<\/td>\n<td width=\"94\">No<\/td>\n<td width=\"94\">Yes<\/td>\n<\/tr>\n<tr>\n<td width=\"220\">Telegram channel for obtaining\/distributing malware<\/td>\n<td width=\"85\">No<\/td>\n<td width=\"94\">No<\/td>\n<td width=\"94\">Yes<\/td>\n<\/tr>\n<tr>\n<td width=\"220\">Patterns in the domains of their command-and-control servers, mainly, gonzalez2024, melo2024, qpaisa2024, quepasa2024<\/td>\n<td width=\"85\">No<\/td>\n<td width=\"94\">No<\/td>\n<td width=\"94\">Yes<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"8\" width=\"152\"><strong>Capabilities<\/strong><\/td>\n<td width=\"220\">Distribution through phishing e-mails<\/td>\n<td width=\"85\"><strong><span style=\"color: #339966\">Yes<\/span><\/strong><\/td>\n<td width=\"94\"><strong><span style=\"color: #ff0000\">Yes<\/span><\/strong><\/td>\n<td width=\"94\">Yes<\/td>\n<\/tr>\n<tr>\n<td width=\"220\">Use of Remote Access Trojans, among which we find <em>RemcosRAT<\/em>, <em>QasarRAT<\/em>, <em>AsyncRAT <\/em>y <em>XWorm<\/em><\/td>\n<td width=\"85\"><strong><span style=\"color: #339966\">Yes<\/span><\/strong><\/td>\n<td width=\"94\"><span style=\"color: #ff0000\"><strong>Yes<\/strong><\/span><\/td>\n<td width=\"94\">Yes<\/td>\n<\/tr>\n<tr>\n<td width=\"220\">7ZIP and ZIP compression format<\/td>\n<td width=\"85\"><strong><span style=\"color: #339966\">Yes<\/span><\/strong><\/td>\n<td width=\"94\"><strong><span style=\"color: #ff0000\">Yes<\/span><\/strong><\/td>\n<td width=\"94\">Yes<\/td>\n<\/tr>\n<tr>\n<td width=\"220\">Keyboard, mouse, and screen activity monitoring<\/td>\n<td width=\"85\"><span style=\"color: #339966\"><strong>Yes<\/strong><\/span><\/td>\n<td width=\"94\"><strong><span style=\"color: #ff0000\">Yes<\/span><\/strong><\/td>\n<td width=\"94\">Yes<\/td>\n<\/tr>\n<tr>\n<td width=\"220\">Installation of additional software, mainly remote administration software<\/td>\n<td width=\"85\">No<\/td>\n<td width=\"94\">No<\/td>\n<td width=\"94\">Yes<\/td>\n<\/tr>\n<tr>\n<td width=\"220\">Exploitation of DLL-Hijacking, mainly in legitimate VMWare products<\/td>\n<td width=\"85\">No<\/td>\n<td width=\"94\">No<\/td>\n<td width=\"94\">Yes<\/td>\n<\/tr>\n<tr>\n<td width=\"220\">Use of <em>Neshta<\/em> malware<\/td>\n<td width=\"85\">No<\/td>\n<td width=\"94\">No<\/td>\n<td width=\"94\">Yes<\/td>\n<\/tr>\n<tr>\n<td width=\"220\">Use of scripting for first droppers (JS, VBS)<\/td>\n<td width=\"85\">Yes<\/td>\n<td width=\"94\">Yes<\/td>\n<td width=\"94\">No<\/td>\n<\/tr>\n<tr>\n<td width=\"152\"><strong>Victim<\/strong><\/td>\n<td width=\"220\">So far, only campaigns targeting Colombia have been identified<\/td>\n<td width=\"85\">No<\/td>\n<td width=\"94\">No<\/td>\n<td width=\"94\">Yes<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center\"><strong>Table 4. Overlaps between <em>APT-C-36<\/em>, <em>TA558<\/em> and <em>Red Akodon<\/em><\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>As a result of the investigation, it can be observed that out of 17 characteristics attached to the diamond model, overlaps were found only in 6, of which 3 (ZIP and 7ZIP files, phishing emails, and dynamic domains) are usually used by different threats in the region, including banking Trojans, for instance. SCILabs can determine with a high level of confidence that this is a new threat actor.<a name=\"_Toc80195005\"><\/a><a name=\"_Toc59312917\"><\/a><a name=\"_Toc166527265\"><\/a><\/p>\n<p>&nbsp;<\/p>\n<h1><a name=\"_Toc166527266\"><\/a>Conclusions<\/h1>\n<p>SCILabs considers that the danger of <em>Red Akodon<\/em> lies in multiple factors, among which the following stand out:<\/p>\n<ul>\n<li>Constant modification of its infrastructure, making it difficult for researchers to track the malware activity operated by this threat group.<\/li>\n<li>Constant creation of malware\u00a0repositories, which makes the task of obtaining samples, blocking indicators of compromise, etc. complicated.<\/li>\n<li>The use of Trojans with\u00a0public source code, which allows them to easily make modifications to their artifacts.<\/li>\n<li>The use of multiple remote access Trojans could increase the effectiveness of one of their attacks by generating\u00a0multiple\u00a0infections at the same time.<\/li>\n<li>The\u00a0use of the DLL-Hijacking\u00a0technique exploits vulnerable applications, making detection difficult for malware analysts and security solutions.<\/li>\n<li>The use of <em>Neshta<\/em> malware to infect EXE files.<\/li>\n<li>The use of legitimate hosting services.<\/li>\n<li>Implementation of geofences, which ensure that their victim belongs to a specific region.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><a name=\"_Toc112697371\"><\/a>Having said the above and based on the capabilities set forth in this report, <em>Red Akodon<\/em> should be considered a potential threat to all companies and organizations, mainly in Colombia, although it is important to mention that as a consequence of the exponential increase in its activity and its rapid creation of a variety of campaigns it is highly likely to affect other countries in the LATAM region in the future.<\/p>\n<p>SCILabs will continue to monitor the activity of this threat actor and provide IOCs accordingly to strengthen the security of our clients. Additionally, we make the following recommendations to avoid being victims or, where appropriate, to reduce the impact of a <em>Red Akodon<\/em> infection:<\/p>\n<ul>\n<li>Block the IoCs mentioned in this document.<\/li>\n<li>Conduct awareness campaigns on the techniques used by this threat actor.<\/li>\n<li>Have strict policies regarding the use and installation of software on corporate computers, mainly utilities related to VMWare, exploited by <em>Red Akodon<\/em>.<\/li>\n<li>For phishing emails, it is recommended:\n<ul>\n<li>Avoid opening emails from unknown senders.<\/li>\n<li>Avoid opening suspicious links.<\/li>\n<li>Avoid opening or downloading suspicious files.<\/li>\n<\/ul>\n<\/li>\n<li>Keep the operating systems and software of all devices on your network up to date.<\/li>\n<li>Carry out correct implementation of policies for the creation and use of passwords.<\/li>\n<li>Avoid storing passwords in browsers.<\/li>\n<li>vestigate leaks of information, credentials and data related to your organization through intelligence services.<\/li>\n<li>Have a correct implementation of <a href=\"https:\/\/www.cyberark.com\/es\/what-is\/defense-in-depth\/\">In-Depth Security<\/a> in all the organization&#8217;s systems.<\/li>\n<li>If they are not essential for the organization&#8217;s operation, block free DNS services such as duckdns[.]org and kozow[.]com.<\/li>\n<li>Perform threat hunting tasks looking for suspicious shortcuts, primarily in the Windows Start Menu directory.<\/li>\n<li>Pay attention to alterations on your devices, for example, a double cursor, pop-up screens, among others.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h1><a name=\"_Toc166527267\"><\/a>Indicators of compromise<a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/h1>\n<p>Below, with a <strong>HIGH<\/strong> level of confidence, are the indicators of compromise (IoCs) obtained from the analysis carried out by SCILabs.<\/p>\n<p>&nbsp;<\/p>\n<h3><strong>SHA256<\/strong><\/h3>\n<p>30C835EA23ED533816533C0FABF62811007140CF84F9610E9F9B42F9A30539FE<br \/>\nC0747C10BE35B8C1072A360C7759228B17F35D2EC890154020C716D572B00FBD<br \/>\n174FA8BB281AD832A5CBC6132E5D16E71C951CEB8F505C305F5D6816E6F75BBE<br \/>\n78576AAAEA61227E3EA0AA5311D72878630E83B04CBDBCE436D7CC119749A428<br \/>\n06D966537F2236E4ECC8F4BA62070398980CF42D74971B47D0018DD8089C3A15<br \/>\n675A60B1C6C7F593C96EA6787D961B6ABD32FE644D1A23A2FF32BEC785EA1DA1<br \/>\nCC419B8CC78BBF52A96E33142C99E129A96D2E83C5E9D23AF7F041BEE803D324<br \/>\n8DC7FA88285ED5466962A8A6F04941DC23D3F5D11398BD33ECB80973189F1A98<br \/>\n665B8F7B2013BC20C6A31F3448C0EC321D17B214629ACCE7405039009DC1C519<br \/>\n27EBF2AF9882393EC6C1EBD17A32C607B08337D419AD93692B9CB44BA54C47CC<br \/>\n7D5B81FA1ADD7DF447EB4A9BE6618C60317C0F11A5AE6A0479451A8FABDB88CA<br \/>\n328BB9FED9B3A2071E504361C6719361192D273D4CF202A3C8D6551C385A70A7<br \/>\n5B72922A652FCD91508E1F6ED54C2936731D5B31A7A0DA1F4289AA822E9AB282<br \/>\n406F0C9C379AC28F1135D8C2AEA49D5105782631CBF5259800E19B93813412C4<br \/>\nC858874090BE999F9EC6C851EF5511829E44DF29E37EDEF7012FB7DD6A6A5884<br \/>\n5C15C27C7C6D942ABBBADACE26B8C3C06F63DCEB474287D39CD561548B274685<br \/>\n70D7598B80ACBB5EDD8913718C5D94EF98AF00FCE9726048FE72235EB1AAA47E<br \/>\n3795B2AAA4D61C30528C897DD02D610E3C1734C6BBC093A932381E7FA58D0CA6<br \/>\nAD7A0816DFC4F551CFB5122388FAB2418D2822DEDA4A55E59DBC95E037EF8305<\/p>\n<p>&nbsp;<\/p>\n<h3><strong>Malware download URL <\/strong><\/h3>\n<p>It is recommended to block the entire URL to avoid future false positives or operation failures. hxxps[:]\/\/drive[.]google[.]com\/file\/d\/1ygbbzsxnkoq4j5hqmndmzgjlgsqrrqh6\/view?usp=drive_web<\/p>\n<p>hxxps[:\/\/]drive[.]google[.]com\/file\/d\/1a8ju99cr4eaybnlgcztcxfswtltdjn-p\/view<br \/>\nhxxps[:\/\/]onedrive[.]live[.]com\/?redeem=aHR0cHM6Ly8xZHJ2Lm1zL2IvYy8xMTliNTFhOWU4ZWU2OGE1L0VWNHlzdWhYcGR0S3FTdThnUDRzakprQlk1ZWZlaTlqamNoT05NaGxwcG9xUVE&amp;cid=119B51A9E8EE68A5&amp;id=119B51A9E8EE68A5%21se8b2325ea5574adba92bbc80fe2c8c99&amp;parId=root&amp;o=OneUp<br \/>\nhxxps[:]\/\/github[.]com\/santiagonasar\/publicidad2\/raw\/main\/citacion%20demanda[.]zip<br \/>\nhxxps[:]\/\/github[.]com\/colombo08125\/publicidada2024\/raw\/main\/citacion%20demanda%2004[.]zip<br \/>\nhxxps[:\/\/]github[.]com\/jairpicc\/demanda\/raw\/main\/demanda%20virtual[.]7z<br \/>\nhxxps[:\/\/]github[.]com\/mastermr02456\/radicado23984\/raw\/main\/citacion%20demanda[.]zip<br \/>\nhxxps[:\/\/]raw[.]githubusercontent[.]com\/santiagonasar\/PUBLICIDAD2\/main\/CITACION%20DEMANDA[.]zip<br \/>\nhxxps[:\/\/]raw[.]githubusercontent[.]com\/mastermr02456\/Radicado23984\/main\/CITACION%20DEMANDA[.]zip<br \/>\nhxxps[:\/\/]raw[.]githubusercontent[.]com\/mastermr02456\/JUDICIAL-\/main\/Notificacion%20Judicial%20854651[.]Tar<br \/>\nhxxps[:\/\/]raw[.]githubusercontent[.]com\/mastermr02456\/Radicado2354\/main\/CITACION%20JUDICIAL[.]zip<br \/>\nhxxps[:\/\/]raw[.]githubusercontent[.]com\/mastermr02456\/Radicado\/main\/Radicado_juridico_2141744[.]zip<br \/>\nhxxps[:\/\/]raw[.]githubusercontent[.]com\/colombo08125\/publicidada2024\/main\/CITACION%20DEMANDA%2004[.]zip<br \/>\nhxxps[:\/\/]raw[.]githubusercontent[.]com\/colombo08125\/publicidada2024\/main\/02%20CITACION%20JUDICIAL%20DEMANDA[.]zip<br \/>\nhxxps[:\/\/]raw[.]githubusercontent[.]com\/colombo08125\/publicidada2024\/main\/CITACION%20DEMANDA%2001[.]zip<br \/>\nhxxps[:\/\/]raw[.]githubusercontent[.]com\/colombo08125\/publicidada2024\/main\/CITACION%20DEMANDA%20JUDICIAL%20JUZGADO%20007%20CIVIL%20DEL%20CIRCUITO[.]zip<br \/>\nhxxps[:\/\/]raw[.]githubusercontent[.]com\/colombo08125\/publicidada2024\/main\/CITACION%20DEMANDA%20JUDICIAL[.]zip<br \/>\nhxxps[:\/\/]raw[.]githubusercontent[.]com\/colombo08125\/publicidada2024\/main\/CITACION%20DEMANDA[.]zip<br \/>\nhxxps[:\/\/]raw[.]githubusercontent[.]com\/colombo08125\/publicidada2024\/main\/CITACION%20JUDICIAL%20DEMANDA[.]zip<br \/>\nhxxps[:\/\/]raw[.]githubusercontent[.]com\/MIGRAHIMOVIC\/MIGRAHIMOVIC\/main\/-%20PROCESO%20DEMANDA[.]REV<br \/>\nhxxps[:\/\/]raw[.]githubusercontent[.]com\/MIGRAHIMOVIC\/MIGRAHIMOVIC\/main\/10%20CITACION%20DEMANDA[.]zip<br \/>\nhxxps[:\/\/]raw[.]githubusercontent[.]com\/MIGRAHIMOVIC\/MIGRAHIMOVIC\/main\/CITACION%20DEMANDA[.]zip<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<h3><strong>C2<\/strong><\/h3>\n<p>gonzales2024[.]kozow[.]com[:]1313<br \/>\namarre2024[.]kozow[.]com[:]1313<br \/>\nmelo2024[.]kozow[.]com<br \/>\nquepasa2024[.]kozow[.]com<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview The purpose of this report is to highlight a new threat actor that SCILabs identified and profiled during April<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-623","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/623","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/comments?post=623"}],"version-history":[{"count":0,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/623\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/media?parent=623"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/categories?post=623"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/tags?post=623"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}