The group appears to target individuals that may speak Spanish, increasingly the likelihood of a successful compromise.
The targeting suggests TA2721 conducts reconnaissance and attack planning to obtain employee data and contact information. Proofpoint researchers observed TA2721 sending low-volume campaigns impacting less than 100 organizations at a time since January 2021. Targets include entities in manufacturing, automotive, food and beverage, entertainment and media, banking, insurance, and agriculture. Targeted organizations included entities in the U.S., Europe, and South America, both multinational organizations as well as smaller businesses. Only a handful of individuals are targeted at each organization, and most have Spanish-language surnames, such as Pérez, Castillo, Ortiz, etc. The attached PDF contains an embedded URL and password that, when clicked, leads to the download of a password protected compressed executable that contains Bandook.įigure 2: PDF containing a malicious link and password that leads to the download Bandook. TA2721 leverages the same type of budget or payment-themed lures throughout its campaigns to prompt a user to download a PDF.įigure 1: Email sample masquerading as a budget/quotation proposal. Proofpoint researchers began tracking this group in January 2021 and have observed TA2721 distribute email threats delivering Bandook every week since April. The campaigns are low volume, with fewer than 300 messages per campaign. The threats target entities globally, but the threat actors mostly impact individuals with Spanish surnames at these organizations. Cybersecurity firm ESET first published details of the malware used by this group.
The group targets multiple industries from finance to entertainment. The group uses Spanish-languages lures to distribute a known – but infrequently used – remote access trojan (RAT) called Bandook. Proofpoint researchers nicknamed the group Caliente Bandits for their use of Hotmail email accounts – “caliente” is the Spanish word for “hot.” Proofpoint researchers identified a new and highly active threat group, TA2721, also colloquially referred to by our researchers as Caliente Bandits. Bandook is an old malware that is not used by many threat actors.The threat actor tends to use the same command and control (C2) infrastructure for weeks or months at a time. Proofpoint has only seen three different C2 domains in the last six months.The infection chain features a PDF containing a URL that leads to an encrypted RAR file which installs Bandook malware.The group often targets individuals with Spanish-language surnames at global organizations representing multiple different industries.Proofpoint researchers identified a new group, TA2721 distributing Spanish-language email threats.
0 kommentar(er)
