Operation Spalax: Targeted malware attacks in Colombia

Operation Spalax: Targeted malware attacks in Colombia

ESET researchers uncover attacks targeting Colombian government institutions and private companies, especially from the energy and metallurgical industries



In 2020 ESET saw several attacks targeting Colombian entities exclusively. These attacks are still ongoing at the time of writing and are focused on both government institutions and private companies. For the latter, the most targeted sectors are energy and metallurgical. The attackers rely on the use of remote access trojans, most likely to spy on their victims. They have a large network infrastructure for command and control: ESET observed at least 24 different IP addresses in use in the second half of 2020. These are probably compromised devices that act as proxies for their C&C servers. This, combined with the use of dynamic DNS services, means that their infrastructure never stays still. We have seen at least 70 domain names active in this timeframe and they register new ones on a regular basis.


The attackers


The attacks we saw in 2020 share some TTPs with previous reports about groups targeting Colombia, but also differ in many ways, thus making attribution difficult.


One of those reports was published in February 2019, by QiAnXin researchers. The operations described in that blogpost are connected to an APT group active since at least April 2018. We have found some similarities between those attacks and the ones that we describe in this article:


We saw a malicious sample included in IoCs of QiAnXin’s report and a sample from the new campaign in the same government organization. These files have fewer than a dozen sightings each.
Some of the phishing emails from the current campaign were sent from IP addresses corresponding to a range that belongs to Po ..