Operation Spalax
Operation Spalax was a campaign that primarily targeted Colombian government organizations and private companies, particularly those associated with the energy and metallurgical industries. TheOperation Spalax threat actors distributed commodity malware and tools using generic phishing topics related to COVID-19, banking, and law enforcement action. Security researchers noted indicators of compromise and some infrastructure overlaps with other campaigns dating back to April 2018, including at least one separately attributed toAPT-C-36, however identified enough differences to report this as separate, unattributed activity.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .001 | Acquire Infrastructure:Domains | ForOperation Spalax, the threat actors registered hundreds of domains using Duck DNS and DNS Exit.[1] |
| Enterprise | T1059 | Command and Scripting Interpreter | ForOperation Spalax, the threat actors used Nullsoft Scriptable Install System (NSIS) scripts to install malware.[1] | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ForOperation Spalax, the threat actors used a variety of packers and droppers to decrypt malicious payloads.[1] | |
| Enterprise | T1568 | Dynamic Resolution | ForOperation Spalax, the threat actors used dynamic DNS services, including Duck DNS and DNS Exit, as part of their C2 infrastructure.[1] | |
| Enterprise | T1027 | .002 | Obfuscated Files or Information:Software Packing | ForOperation Spalax, the threat actors used a variety of packers, including CyaX, to obfuscate malicious executables.[1] |
| .003 | Obfuscated Files or Information:Steganography | ForOperation Spalax, the threat actors used packers that read pixel data from images contained in PE files' resource sections and build the next layer of execution from the data.[1] | ||
| .013 | Obfuscated Files or Information:Encrypted/Encoded File | ForOperation Spalax, the threat actors used XOR-encrypted payloads.[1] | ||
| Enterprise | T1588 | .001 | Obtain Capabilities:Malware | ForOperation Spalax, the threat actors obtained malware, includingRemcos,njRAT, and AsyncRAT.[1] |
| .002 | Obtain Capabilities:Tool | ForOperation Spalax, the threat actors obtained packers such as CyaX.[1] | ||
| Enterprise | T1566 | .001 | Phishing:Spearphishing Attachment | DuringOperation Spalax, the threat actors sent phishing emails that included a PDF document that in some cases led to the download and execution of malware.[1] |
| .002 | Phishing:Spearphishing Link | DuringOperation Spalax, the threat actors sent phishing emails to victims that contained a malicious link.[1] | ||
| Enterprise | T1608 | .001 | Stage Capabilities:Upload Malware | ForOperation Spalax, the threat actors staged malware and malicious files in legitimate hosting services such as OneDrive or MediaFire.[1] |
| Enterprise | T1218 | .011 | System Binary Proxy Execution:Rundll32 | DuringOperation Spalax, the threat actors used |
| Enterprise | T1204 | .001 | User Execution:Malicious Link | DuringOperation Spalax, the threat actors relied on a victim to click on a malicious link distributed via phishing emails.[1] |
| .002 | User Execution:Malicious File | DuringOperation Spalax, the threat actors relied on a victim to open a PDF document and click on an embedded malicious link to download malware.[1] | ||
| Enterprise | T1497 | Virtualization/Sandbox Evasion | DuringOperation Spalax, the threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host.[1] | |
| Enterprise | T1102 | Web Service | DuringOperation Spalax, the threat actors used OneDrive and MediaFire to host payloads.[1] | |