Monday, October 23, 2023
HomeCyber SecurityThe Universe of Threats in LATAM

The Universe of Threats in LATAM

ESET Analysis

ESET researchers reveal a rising sophistication in threats affecting the LATAM area by using evasion methods and high-value focusing on

Operation King TUT: The universe of threats in LATAM

Very similar to the life and mysterious demise of Pharaoh Tutankhamun, also referred to as King Tut, the menace panorama in Latin America (LATAM) stays shrouded in thriller. That is primarily as a result of restricted international consideration on the evolving malicious campaigns inside the area. Whereas notable occasions like ATM assaults, the banking trojans born in Brazil, and the Machete cyberespionage operations have garnered media protection, we’re conscious that there’s extra to the story.

In a parallel to how archaeological excavations of King Tut’s tomb make clear historical Egyptian life, we launched into a journey to delve into less-publicized cyberthreats affecting Latin American international locations. Our initiative, named Operation King TUT (The Universe of Threats), sought to discover this vital menace panorama. On October fifth, we offered the outcomes of our comparative evaluation on the Virus Bulletin 2023 convention: the complete convention paper might be learn right here.

Within the evaluation, we selected to look again at numerous publicly documented campaigns focusing on the LATAM area between 2019 and 2023, as might be seen within the timeline beneath. All of those cybercriminal actions are detected solely in Latin America and aren’t related to international crimeware. Since every of those operations has its personal distinctive traits and doesn’t seem linked to any identified menace actor, it’s extremely possible that a number of actors are at play.

Figure 1 - Timeline of publications on attacks in LATAM, tracked by ESET
Determine 1. Timeline of publications on assaults in LATAM, tracked by ESET

Our analysis revealed a notable shift from simplistic, opportunistic crimeware to extra advanced threats. Notably, now we have noticed a transition in focusing on, transferring from a give attention to most people to high-profile customers, together with companies and governmental entities. These menace actors frequently replace their instruments, introducing completely different evasion methods to extend the success of their campaigns. Moreover, they’ve expanded their crimeware enterprise past Latin America, mirroring the sample seen in banking trojans born in Brazil.

Our comparability additionally exhibits that almost all of malicious campaigns seen within the area are directed at enterprise customers, together with authorities sectors, by using primarily spearphishing emails to achieve potential victims, usually masquerading as acknowledged organizations inside particular international locations within the area, notably authorities or tax entities.

The precision and specificity noticed in these assaults level to a excessive degree of focusing on, indicating that the menace actors have detailed information about their meant victims. In these campaigns, attackers make the most of malicious parts like downloaders and droppers, largely created in PowerShell and VBS.

Relating to the instruments utilized in these malicious operations in Latin America, our observations point out a desire for RATs, notably from the njRAT and AsyncRAT households. Moreover, in campaigns primarily focusing on authorities entities, now we have recognized the usage of different malware households like Bandook and Remcos, albeit to a lesser extent.

Based mostly on the conclusions ensuing from our comparability, we imagine that there’s greater than only one group behind the proliferation of all these campaigns and that these teams are actively trying into completely different methods and methods for his or her campaigns to be as profitable as doable. Moreover, we suspect that socioeconomic disparities prevalent in Latin America could affect the modus operandi of attackers on this area, though this specific side falls past the scope of our analysis. The total VB2023 convention paper about Operation King TUT is obtainable right here.

Aggregated indicators of compromise (IoCs) can be found on our GitHub repository.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at

ESET Analysis presents non-public APT intelligence reviews and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments