How the Packrat gang has targeted South America with malware for over seven years

David bisson
David Bisson
@

Hacking South America
A hacker group has spent the past seven years targeting countries in South America with malware campaigns, phishing attacks, and fake news organizations.

Researchers at Cyphort and Citizen Lab, which is housed at the Munk School of Global Affairs, have given the hacker group the name “Packrat” based upon its preference for embedded remote access trojans (RATs) and for its reliance on the same domains and servers over the course of several years.

In total, Packrat has used at least 12 different command-and-control (C&C) servers and 30 samples of malware, tools which are understood to be a significant factor behind the group’s ongoing resolve.

“We believe this is a highly targeted operation,” John Scott-Railton, lead researcher on The Citizen Lab team, told The Associated Press. “Packrat seems to carefully choose and then relentlessly go after its targets.”

Sign up to our free newsletter.
Security news, advice, and tips.

According to a report written by Scott-Railton and his colleagues, the group has been active since 2008. In that time, it has hit targets in Venezuela, Brazil, Argentina, and Ecuador, with the lattermost region having yielded the most data to the researchers.

1 packrat known targeting

The Cyphort-Citizen Lab team found that beginning in 2015, Packrat began conducting politically linked malware attacks in Ecuador, some of which might share C&C infrastructure with the AlienSpy malware that was found on controversial Argentine prosecutor Alberto Nisman’s cellphone following his suspicious death by gunshot.

Social engineering is believed to have played a part in each of these attacks insofar as the attackers used political bait content to trick their targets into opening a Word document containing malicious Java. Once the target clicked on an embedded image in that document, they would be infected with any number of malware samples, many of which the group had previously obfuscated using an unknown VB6 crypter, AutoIt3Wrapper, UPX, PECompact, PEtite, and/or Allatori Obfuscator.

12 malware families

The group’s engagement with Ecuador extends beyond malware attacks, however. Researchers at The Citizen Lab and Cyphort also noticed politically and non-politically motivated phishing emails, the latter of which mimic common requests for password verifications, notifications of suspicious login attempts, and the like.

Three fake news organizations – one concentrated around Ecuador, whereas two are more Venezuela-oriented – have been spotted, though the purpose behind these is currently unclear say the researchers.

“What makes these three fake organizations exceptionally interesting is that we have found no evidence that they are used to seed malware or conduct phishing, either directly, or as pretexts for messages. While it may be that we simply lack visibility on the targeting, it may be that the pages and identities serve another function. They may be attempts to seed false information, or might serve as watering holes to attract individuals that Packrat or its sponsors wish to monitor. They may also be coupled with other operations on which we have no visibility.”

32 desvinculados

By contrast, Packrat had clear visibility into the work of the research team during their analysis.

As noted in a story published by U.S. News & World Report, one of the hackers associated with Packrat at one point threatened the researcher while he was poking around a machine that the group had infected, stating that they were going to “analyze [his] brain with a bullet — and [his] family’s, too.”

The team notes that the hacker may have broken protocol and engaged with the researcher due to unwelcome tampering of Packrat’s files in the past. Such reactions should be taken seriously, but at the same time, they could provide invaluable insight to the extent that they can help reveal what assets are crucial for the group’s ongoing operations.

This report has no doubt shed some light on Packrat, which it must be assumed has operated in safety for several years. Now that the world knows about the hackers behind these attacks, they will no doubt need to tread more carefully moving forward. Let us hope that shift works in the favor of researchers like Scott-Railton and his colleagues.

Make sure to read Citizen Lab’s full analysis of Packrat, including its thoughts on who is behind the hacker group.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.