A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries.
The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.
Packrat Activity
Researchers believe Packrat began its activity in 2008 and up until 2013 it used various pieces of malware to targeted users in Brazil, although there are no confirmed victims from this period.
Packrat activity was also observed in 2014 when the attackers planted the Java-based RAT known as AlienSpy on the Android phone of Alberto Nisman, a controversial Argentine lawyer who was killed in January 2015. Police in Argentina uncovered the RAT, which had been disguised as a harmless document file, on Nisman’s phone after his death. Reports later surfaced about the same malware being used to target Argentine journalist and writer Jorge Lanata, and Maximo Kirchner, son of Argentina’s President Cristina Fernandez.
In 2015, according to experts, Packrat appears to have focused its activities on Ecuador, where it has targeted the government, government opponents, journalists, and parliamentarians. The group has also targeted Venezuela and the Venezuelan diaspora.
Packrat Tools and Methods
The threat group is known to have used malware in attacks aimed at users in Brazil and Argentina. In attacks aimed at Venezuela, the attackers mainly appear to have focused on spreading false information using bogus opposition groups and news websites. In Ecuador, Packrat leveraged not only malware and fake organizations, but also SMS and email-based phishing attacks. Researchers have found several public reports of phishing and malware attacks in Ecuador that they have managed to tie to Packrat.
Experts have uncovered a total of 30 malware samples and 12 command and control (C&C) domains used by the group. Shared C&C infrastructure and other clues have allowed researchers to link malicious activity in several Latin American countries to Packrat.
The attackers have mainly relied on off-the-shelf malware to compromise victims’ machines and steal information. Between 2008 and 2013, Packrat used the RATs known as CyberGate and XtremeRAT, and in 2014-2015 they started using AlienSpy and Adzok. While these are known malware families, the attackers attempted to avoid detection by adding a layer of obfuscation using tools such as AutoIt3Wrapper, UPX, PECompact, PEtite, and Allatori Obfuscator.
The malware was in many cases delivered via emails containing specially crafted documents or links pointing to malicious websites.
As for phishing attacks, experts have observed both political and non-political campaigns. The threat group sometimes targeted regular email accounts, such as Gmail, while in other cases they set up phishing pages designed to mimic government portals.
Attribution
Most of the evidence, although in many cases circumstantial, suggests that the attackers — who at one point during the investigation started communicating with the researchers, making threats in an effort to convince them to back off — are sponsored by one or more nation states.
This hypothesis is based on the nature of the targets, the politically-themed disinformation campaigns, the high financial costs of maintaining the attack infrastructure, and the fact that they haven’t shut down their servers after being exposed, which suggests that they are not afraid of authorities. If this theory is correct, the attackers could work for a single intelligence or security service, or they could be mercenaries working for one or multiple governments.
On the other hand, it’s also possible that Packrat is a criminal group or an entity with political ambitions. This is largely based on the fact that the threat actor hasn’t used any technically sophisticated tools or ones known to be leveraged by governments for espionage (e.g. FinFisher, Hacking Team products). However, the use of less sophisticated methods and tools by APT actors is not unheard of, particularly in the Middle East.
“Packrat highlights the extent to which multi-year campaigns can be run using limited technical sophistication, and a lot of creativity. From a technical perspective, they rely almost entirely on off-the-shelf RATs and packers to evade antivirus detection. Where they excel is in the time and effort spent to create detailed and moderately convincing fake organizations to seed their malware,” Citizen Lab explained in its report.
“Their persistence, and their willingness to keep using domains even after they are exposed suggests that exposure of their infrastructure is not an existential threat. Their threats and taunts are similarly brazen. This strongly suggests, but does not prove, that Packrat operates with a perception of safety,” experts noted.
