C0005 Operation Spalax

Operation Spalax was a campaign that primarily targeted Colombian government organizations and private companies, particularly those associated with the energy and metallurgical industries. The Operation Spalax threat actors distributed commodity malware and tools using generic phishing topics related to COVID-19, banking, and law enforcement action. Security researchers noted indicators of compromise and some infrastructure overlaps with other campaigns dating back to April 2018, including at least one separately attributed to APT-C-36, however identified enough differences to report this as separate, unattributed activity.¹

Item	Value
ID	C0005
Associated Names
First Seen	November 2019
Last Seen	January 2021
Version	1.0
Created	16 September 2022
Last Modified	13 October 2022
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1583	Acquire Infrastructure	-
enterprise	T1583.001	Domains	For Operation Spalax, the threat actors registered hundreds of domains using Duck DNS and DNS Exit.¹
enterprise	T1059	Command and Scripting Interpreter	For Operation Spalax, the threat actors used Nullsoft Scriptable Install System (NSIS) scripts to install malware.¹
enterprise	T1140	Deobfuscate/Decode Files or Information	For Operation Spalax, the threat actors used a variety of packers and droppers to decrypt malicious payloads.¹
enterprise	T1568	Dynamic Resolution	For Operation Spalax, the threat actors used dynamic DNS services, including Duck DNS and DNS Exit, as part of their C2 infrastructure.¹
enterprise	T1027	Obfuscated Files or Information	For Operation Spalax, the threat actors used XOR-encrypted payloads.¹
enterprise	T1027.002	Software Packing	For Operation Spalax, the threat actors used a variety of packers, including CyaX, to obfuscate malicious executables.¹
enterprise	T1027.003	Steganography	For Operation Spalax, the threat actors used packers that read pixel data from images contained in PE files’ resource sections and build the next layer of execution from the data.¹
enterprise	T1588	Obtain Capabilities	-
enterprise	T1588.001	Malware	For Operation Spalax, the threat actors obtained malware, including Remcos, njRAT, and AsyncRAT.¹
enterprise	T1588.002	Tool	For Operation Spalax, the threat actors obtained packers such as CyaX.¹
enterprise	T1566	Phishing	-
enterprise	T1566.001	Spearphishing Attachment	During Operation Spalax, the threat actors sent phishing emails that included a PDF document that in some cases led to the download and execution of malware.¹
enterprise	T1566.002	Spearphishing Link	During Operation Spalax, the threat actors sent phishing emails to victims that contained a malicious link.¹
enterprise	T1608	Stage Capabilities	-
enterprise	T1608.001	Upload Malware	For Operation Spalax, the threat actors staged malware and malicious files in legitimate hosting services such as OneDrive or MediaFire.¹
enterprise	T1218	System Binary Proxy Execution	-
enterprise	T1218.011	Rundll32	During Operation Spalax, the threat actors used `rundll32.exe` to execute malicious installers.¹
enterprise	T1204	User Execution	-
enterprise	T1204.001	Malicious Link	During Operation Spalax, the threat actors relied on a victim to click on a malicious link distributed via phishing emails.¹
enterprise	T1204.002	Malicious File	During Operation Spalax, the threat actors relied on a victim to open a PDF document and click on an embedded malicious link to download malware.¹
enterprise	T1497	Virtualization/Sandbox Evasion	During Operation Spalax, the threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host.¹
enterprise	T1102	Web Service	During Operation Spalax, the threat actors used OneDrive and MediaFire to host payloads.¹

Software

ID	Name	Description
S0385	njRAT	¹

References

M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩