ESET researchers have unveiled a surge in the sophistication of threats impacting the Latin America (LATAM) region through the use of evasion techniques and targeting high-value entities.
This revelation comes in light of notable events such as ATM attacks, the emergence of banking trojans in Brazil, and Machete cyberespionage operations that have garnered global media coverage, although the researchers believe that there is more to the story.
In an effort to dive deeper into the underreported cyberthreats affecting Latin American countries, ESET conducted an initiative called Operation King TUT (The Universe of Threats). The results of this research were presented on October 5th at the Virus Bulletin 2023 conference.
The analysis from ESET focused on publicly documented campaigns targeting the LATAM region between 2019 and 2023, revealing a significant shift from simplistic, opportunistic cybercrime to more sophisticated threats. Notably, there has been a transition in targeting, shifting from the general public to high-profile users, including businesses and government entities.
Furthermore, threat actors have been observed updating their tools and employing different evasion techniques to enhance the success of their campaigns. They have also expanded their crimeware business beyond Latin America, mirroring the pattern seen in banking trojans born in Brazil.
ESET’s comparative analysis has shown that the majority of malicious campaigns seen in the region are directed at enterprise users, including government sectors, primarily through spearphishing emails. These emails often masquerade as recognized organizations within specific countries in the region, particularly government or tax entities.
The precision and specificity observed in these attacks indicate a high level of targeting, suggesting that the threat actors have detailed knowledge about their intended victims. Malicious components such as downloaders and droppers, mostly created in PowerShell and VBS, are utilized in these campaigns.
Regarding the tools used in these malicious operations, ESET’s observations indicate a preference for Remote Access Trojans (RATs) from the njRAT and AsyncRAT families. Additionally, campaigns primarily targeting government entities have been found to use other malware families like Bandook and Remcos.
Based on their conclusions, ESET believes that there is more than one group behind the proliferation of these types of campaigns and that these groups are actively looking into different techniques and ways for their campaigns to be as successful as possible. The researchers also suspect that socioeconomic disparities in Latin America may influence the modus operandi of attackers in this region.
The full VB2023 conference paper about Operation King TUT is available for further review. Moreover, aggregated indicators of compromise (IoCs) are available on the organization’s GitHub repository.
For any inquiries about ESET’s research published on WeLiveSecurity, individuals are encouraged to contact them via email. Additionally, ESET Research offers private APT intelligence reports and data feeds with inquiries directed to the ESET Threat Intelligence page.
In conclusion, ESET’s research sheds light on the growing sophistication of cyber threats affecting the LATAM region and underscores the need for continued vigilance and proactive measures to mitigate the impact of these evolving threats.