Some of the messages they sent also contained Brazilian bait content. During this period, Packrat used hosting services in Brazil, and some of their malware samples were uploaded from Brazilian IP space to popular online virus scanning services. Tools and infrastructure used by Packrat suggest that they have been active since at least 2008. For a detailed chronology of the malware used, see 3.
This section provides a brief chronology of Packrat’s network infrastructure and activities. Through correlation of network infrastructure, we identified several waves of activity, coupled with changes in tools and tactics. We chart Packrat’s activities back to at least 2008. We refer to this threat actor as Packrat, to highlight their preference for packed, commodity Remote Access Trojans (RATs), and their retention of the same domains and servers over many years. This report is the result of discovering that the cases we have been investigating are linked by a common threat actor with targeting in several countries, including Venezuela, Ecuador, Argentina, and Brazil. The authors on this report have been independently investigating malware and phishing campaigns in Latin America. Part 1: Packrat’s Seven Years of Activity However, we do not conclusively attribute Packrat to a particular sponsor. Who is responsible? We assess several scenarios, and consider the most likely to be that Packrat is sponsored by a state actor or actors, given their apparent lack of concern about discovery, their targets, and their persistence. It also highlights fake online organizations that Packrat has created in Venezuela and Ecuador. This report brings together many of the pieces of this campaign, from malware and phishing, to command and control infrastructure spread across Latin America. Building on what we had learned about these two campaigns, we then traced the group’s activities back as far as 2008. The targeting in Argentina was discovered when the attackers attempted to compromise the devices of Alberto Nisman and Jorge Lanata. These countries are linked by a trade agreement as well as a cooperation on a range of non-financial matters.Īfter observing a wave of attacks in Ecuador in 2015, we linked these attacks to a campaign active in Argentina in 2014. The attackers, whom we have named Packrat, have shown a keen and systematic interest in the political opposition and the independent press in so-called ALBA countries (Bolivarian Alternative for the Americas), and their recently allied regimes. The nature and geographic spread of the targets seems to point to a sponsor, or sponsors, with regional, political interests. This report describes an extensive malware, phishing, and disinformation campaign active in several Latin American countries, including Ecuador, Argentina, Venezuela, and Brazil.
0 kommentar(er)
