Operation Spalax
Operation Spalax was a campaign that primarily targeted Colombian government organizations and private companies, particularly those associated with the energy and metallurgical industries. The Operation Spalax threat actors distributed commodity malware and tools using generic phishing topics related to COVID-19, banking, and law enforcement action. Security researchers noted indicators of compromise and some infrastructure overlaps with other campaigns dating back to April 2018, including at least one separately attributed to APT-C-36, however identified enough differences to report this as separate, unattributed activity.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1568 | 动态解析 |
For Operation Spalax, the threat actors used dynamic DNS services, including Duck DNS and DNS Exit, as part of their C2 infrastructure.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
For Operation Spalax, the threat actors used a variety of packers and droppers to decrypt malicious payloads.[1] |
|
| Enterprise | T1059 | 命令与脚本解释器 |
For Operation Spalax, the threat actors used Nullsoft Scriptable Install System (NSIS) scripts to install malware.[1] |
|
| Enterprise | T1608 | .001 | 暂存能力: Upload Malware |
For Operation Spalax, the threat actors staged malware and malicious files in legitimate hosting services such as OneDrive or MediaFire.[1] |
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing |
For Operation Spalax, the threat actors used a variety of packers, including CyaX, to obfuscate malicious executables.[1] |
| .003 | 混淆文件或信息: Steganography |
For Operation Spalax, the threat actors used packers that read pixel data from images contained in PE files' resource sections and build the next layer of execution from the data.[1] |
||
| .013 | 混淆文件或信息: Encrypted/Encoded File |
For Operation Spalax, the threat actors used XOR-encrypted payloads.[1] |
||
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
During Operation Spalax, the threat actors relied on a victim to click on a malicious link distributed via phishing emails.[1] |
| .002 | 用户执行: Malicious File |
During Operation Spalax, the threat actors relied on a victim to open a PDF document and click on an embedded malicious link to download malware.[1] |
||
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
During Operation Spalax, the threat actors used |
| Enterprise | T1102 | 网络服务 |
During Operation Spalax, the threat actors used OneDrive and MediaFire to host payloads.[1] |
|
| Enterprise | T1583 | .001 | 获取基础设施: Domains |
For Operation Spalax, the threat actors registered hundreds of domains using Duck DNS and DNS Exit.[1] |
| Enterprise | T1588 | .001 | 获取能力: Malware |
For Operation Spalax, the threat actors obtained malware, including Remcos, njRAT, and AsyncRAT.[1] |
| .002 | 获取能力: Tool |
For Operation Spalax, the threat actors obtained packers such as CyaX.[1] |
||
| Enterprise | T1497 | 虚拟化/沙盒规避 |
During Operation Spalax, the threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host.[1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
During Operation Spalax, the threat actors sent phishing emails that included a PDF document that in some cases led to the download and execution of malware.[1] |
| .002 | 钓鱼: Spearphishing Link |
During Operation Spalax, the threat actors sent phishing emails to victims that contained a malicious link.[1] |
||