The leaked details included Cedura numbers (national ID documents issued to Colombian citizens), email addresses, phone numbers, client names, payment records, salary details, addresses, and more.
There is no evidence that the information was previously shared on dark or clear web forums, suggesting that the attackers themselves accessed customer data to carry out phishing attacks.
Excel files containing exfiltrated banking data also embed macros used to download second stage DLL payloads configured to retrieve and execute BitRAT on compromised hosts .
Qualys researcher Akshat Pradhan said, “We use the WinHTTP library to download the embedded BitRAT payload from GitHub to the %temp% directory.
Commercial malware available on underground forums for as little as $20, BitRAT contains data
“Commercial off-the-shelf RATs have evolved the methods of spreading and infecting victims. ” said Pradhan. “They are also increasing their use of legitimate infrastructure to host their payloads, and defenders must take responsibility for that.”