ESET discovers Operation Spalax: Colombian government and industry sector under targeted attack

January 14, 2021

In 2020, ESET researchers observed several attacks exclusively targeting Colombian entities, which have collectively been dubbed Operation Spalax. These attacks are ongoing and are focused on both government institutions and private companies, especially in the energy and metallurgical industries. The attackers rely on the use of remote access trojans, most likely to conduct cyber-espionage activities.

Targets are approached with emails that lead to the download of malicious files. In most cases, these emails have a PDF document attached containing a link that the user must click. The downloaded files are regular RAR archives that have an executable file inside. These archives are hosted in legitimate file hosting services such as OneDrive or MediaFire. The phishing emails can be a notification to take a mandatory COVID-19 test, attend a court hearing, or pay traffic fines, or they may concern the freezing of bank accounts.

The payloads used in Operation Spalax are remote access trojans. These provide several capabilities not only for remote control, but also for spying on targets: keylogging, screen capture, clipboard hijacking, exfiltration of files, and the ability to download and execute other malware, to name a few.

“ESET observed at least 24 different IP addresses in use during the second half of 2020. These are probably compromised devices that act as proxies for their C&C servers. This, combined with the use of dynamic DNS services, means that their infrastructure never stays still. We have seen at least 70 domain names active in this time frame, and they register new ones on a regular basis,” says Matías Porolli, an ESET researcher who investigated Spalax.

Targeted malware attacks against Colombian entities have been scaled up since the campaigns that were described by other researchers last year. The landscape has changed from a campaign with a handful of C&C servers and domain names into a campaign with very large and fast-changing infrastructure with hundreds of domain names used since 2019.

The attacks ESET saw in 2020 share some TTPs with previous reports about groups targeting Colombia, but also differ in many ways, thus making attribution difficult.

For more technical details about Operation Spalax, read the blog post “Operation Spalax: Targeted malware attacks in Colombia” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

You must login or register in order to post a comment.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

ON DEMAND: There's a lot at stake when it comes to cybersecurity. Reputation, productivity, quality. Join us to discuss the future of your global security strategy and a path forward with trusted partners Cisco and Rockwell Automation, and turn your Food & Bev security challenges into strategic advantages that drive business value.

ESET discovers Operation Spalax: Colombian government and industry sector under targeted attack

The latest news and information

Content written for business-minded executives who manage enterprise risk and security

ESET discovers Operation Spalax: Colombian government and industry sector under targeted attack

Related Articles

Related Events

Report Abusive Comment

The latest news and information

Content written for business-minded executives who manage enterprise risk and security