Group targeted politicians, journalists, and dissidents

Dec 9, 2015 22:37 GMT  ·  By

A cyber-espionage group has been spreading spyware and remote access trojans (RATs) among high-profile South American targets for the past seven years, a recently released report from Citizen Lab reveals.

The group, named Packrat, has an affinity for RATs and has been seen using remote access trojans like Adzok, AlienSpy, CyberGate, and XTreme RAT.

Most of their victims fall into three main categories: political figures, journalists, and anti-establishment dissidents. Citizen Labs has identified targets in multiple South American countries such as Argentina, Brazil, Ecuador, and Venezuela.

While most of the time, victims were largely unknown, some high-profile targets were also hit. There include Alberto Nisman, an Argentinian prosecutor who died in mysterious circumstances earlier this year, Argentinian TV host Jorge Lanata, Maximo Kirchner, the son of former Argentine president Nestor Kirchner, Cesar Ricuarte, director of Fundamedios, a press freedom watchdog in Ecuador, and Martha Roldos, an Ecuadorian environmental activist.

Packrat has launched 600 attacks since 2008

Between 2008 and 2013, the group was primarily active in Brazil, but despite their best efforts, the Citizen Lab team has failed to identify any targets, mainly because of the amount of time it passed since those incidents.

In 2014, the group moved to Argentinian targets, while slowly setting up phishing domains, which would later be used in 2015 against targets in Ecuador and Venezuela.

Packrat operations across time
Packrat operations across time

Most of the time, like any other cyber-gang interested in solitary targets like journalists, politicians, and dissidents, the group used spear phishing campaigns, spreading weaponized and politically themed Word documents to infect victims with their malware.

There are also out-of-the-ordinary cases where the group even set up a fake news site for spreading false rumors in Venezuela (pancaliente.info) and a website for a fake organization of disenchanted policemen in Ecuador (justice-desvinculados.com). These were isolated incidents, and not part of the group's normal modus operandi, which mainly relied on the phishing -> Word file -> RAT method.

Packrat left threatening messages in their malware's source code

Citizen Lab says that, at one point, one of the security threat analysts who were looking into one of the group's RATs found a threatening message addressed to the researchers themselves, meaning Packrat members had suspected they had someone on their trail.

One of the messages read (translated from Spanish), "Now you are in trouble! Lammer! You think you’re living, we have your IP! You keep analyzing processes. We are going to analyze your brain with a bullet and your family too. Take care of your family. We have your picture. You like playing the spy where you shouldn’t, you know it has a cost, your life! Take your time and scan processes, we’re going to get you quickly."

Despite a large amount of information Citizen Lab gathered in their extensive report from over 600 Packrat attacks, the security researchers weren't able to determine if the hackers were a state-sponsored APT or a criminal group peddling its services to different countries. The researchers were not able to determine the group's origin country either.

Packrat malware used in attacks
Packrat malware used in attacks

Packrat campaigns (4 Images)

Packrat C&C infrastructure
Packrat operations across timePackrat malware used in attacks
+1more