Spam Campaign Targets Colombian Entities with Custom-made Remote Access Tools (Jul 18, 2019)
A spam campaign discovered by Trend Micro researchers was found targeting financial institutions and governmental organizations in the South American region, particularly in Colombia, using a new malware known as “Proyecto RAT.” Researchers believe the actors behind the campaign are regularly involved in business email compromise scams, and are unlikely to be affiliated with an Advanced Persistent Threat (APT). The main payload was a Remote Access Tool (RAT) known as Imminent Monitor. Researchers observed that this RAT downloaded and executed another payload, which is the Proyecto RAT. The actors relied on a disposable email address service called YOPmail for a command-and-control server.
Recommendation: Proyecto, Imminent Monitor, and other RATs often leave behind artifacts on the infected system that can be used as indicators of compromise. All systems within your organization should be monitored and protected with preventative measures wherever possible. Organizations should adopt best practices on messaging-related threats and regularly update systems to prevent attackers from taking advantage of any security gaps. Employing additional security mechanisms such as enabling firewalls and intrusion detection and prevention systems will help prevent suspicious network activities that may lead to data exfiltration or C&C communication.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.