IBM X-Force has uncovered a series of targeted email campaigns orchestrated by Hive0131, a financially motivated threat group likely originating from South America.
Observed in early May 2025, these campaigns specifically target users in Colombia, masquerading as official notifications from The Judiciary of Colombia, particularly the Civil Circuit of Bogota.
The attacks aim to deliver the notorious banking trojan DCRat, a Malware-as-a-Service (MaaS) tool known for its affordability and widespread use in the region since at least 2024.
Priced at a mere USD 7 for a two-month subscription and heavily marketed on Russian cybercrime forums since 2018, DCRat has become a go-to weapon for stealing sensitive banking credentials and other personal information.
Hive0131’s Latest Phishing Campaign in Colombia
The infection chains employed by Hive0131 are sophisticated and varied, designed to evade detection while luring unsuspecting victims into executing malicious payloads.
One method involves phishing emails with PDF attachments containing embedded TinyURL links.
When clicked, these links redirect to a ZIP archive harboring a malicious JavaScript file that fetches additional payloads from paste[.]ee sites.
This eventually executes a PowerShell command to download a disguised JPG file with a base64-encoded loader, named VMDetectLoader by X-Force, which ultimately deploys DCRat directly in memory.
Another vector uses emails with embedded Google Docs links leading to password-protected ZIP files containing batch file downloaders.
These downloaders retrieve obfuscated VBScripts and PowerShell scripts, culminating in the same VMDetectLoader executing the trojan.
VMDetectLoader, built on the open-source VMDetector project, incorporates anti-analysis features to detect virtual machines and sandbox environments, ensuring it only runs on genuine victim systems.
DCRat itself is a formidable threat with capabilities that include bypassing Windows’ Antimalware Scan Interface (AMSI), killing blocklisted processes, and establishing persistence through scheduled tasks or registry keys.
Its plugins enable extensive malicious activities such as keylogging, clipboard data theft, file encryption, and even recording victims via their microphones or cameras.
Once deployed, it connects to a command-and-control (C2) server to receive instructions, often targeting banking credentials for financial gain.
IBM X-Force notes that while Hive0131 typically deploys other malware like QuasarRAT and NjRAT, the shift to DCRat in recent campaigns signals an evolving threat landscape in Latin America, where phishing remains a prevalent attack vector.
Organizations in the region are urged to bolster their defenses by scrutinizing emails with links or attachments, monitoring for signs of process injection or unauthorized scheduled tasks, and ensuring robust endpoint security configurations to mitigate such threats.
Indicators of Compromise (IOCs)
| Indicator | Indicator Type | Context |
|---|---|---|
| 4ce1d456fa8831733ac01c4a2a32044b6581664d311b8791bb2efaa2a1d01f17 | SHA256 | Carrier File |
| 1603c606d62e7794da09c51ca7f321bb5550449165b4fe81153020021cbce140 | SHA256 | DCRat |
| 0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7 | SHA256 | Obfuscated .NET Loader |
| hxxps://tinyurl[.]com/2ypy4jrz?id=5541213d-0ed8-4516-82e7-5460d4ebaf3b | URL | Embedded PDF Link |
| hxxps://archive[.]org/download/new_ABBAS/new_ABBAS.jpg | URL | JPG Download URL |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
