An ongoing spam campaign by APT-C-36 is targeting South American entities with commodity RATs for financial benefits. It is reportedly deploying multiple RATs such as njRAT, BitRAT, Async RAT, and Lime RAT.

APT-C-36 is using fraudulent emails disguised to be from Colombia’s national directorate of taxes and customs. The emails state that a seizure order has been issued for a bank account and further details are provided inside the email attachment. The information is protected with the password ‘dian’.

Spam emails used in the campaign claim to have a photo as proof of the recipient’s partner’s affair. Just like other emails, recipients are urged to open the email attachment named attached picture[.]jpg, and ‘foto’ is the password provided by hackers.The sender’s email address is spoofed and disguised as DIAN or a Hotmail address portrayed as a fake female profile.

These emails use PDF/DOCX files including a link as delivery documents. When clicked, recipients are taken to a file hosting site that automatically downloads an archive laden with BitRAT.

Most of the targets are based in Colombia, however, some were based in Ecuador, Spain, and Panama. Some of the spear-phishing emails were written in Spanish.

APT-C-36, over time, appears to have become efficient in using different link shorteners and RATs within phishing emails. It has worked on improving its techniques of spreading malware while avoiding detection. It’s important to keep an eye on this threat group to avoid any unpleasant surprises.