BRATISLAVA, BUENOS AIRES — October 17, 2023 — ESET Research announced today the release of the report “Looking into TUT’s tomb: The universe of threats in LATAM,” which analyzes more than a dozen operations and various cybercriminal campaigns in Latin America. With evolving targeting strategies and techniques, these campaigns exhibit a high level of sophistication, specifically tailoring their approaches to exploit enterprise users, including government sectors. The predominant method of compromising victims is through phishing emails that deliver multiple malicious components.

“Much like the life and mysterious demise of the ancient Egyptian pharaoh Tutankhamun, also known as King Tut, the threat landscape in Latin America remains shrouded in mystery. This is primarily due to limited global attention on evolving malicious campaigns within the region,” says ESET researcher Camilo Gutierrez, based in Buenos Aires, Argentina, who investigated the malicious campaigns. “With parallels to how archaeological excavations of King Tut’s tomb shed light on ancient Egyptian life, we embarked on a journey to delve into less-publicized cyberthreats affecting Latin American countries. Our initiative, named Operation King TUT (The Universe of Threats), sought to explore this significant threat landscape.”

In the paper, ESET Research looks back at various publicly documented campaigns targeting the LATAM region between 2019 and 2023; the vast majority of the detections surrounding these cybercriminal activities are in Latin America and are not associated with global crimeware. Since each of these operations has its own unique traits, and they don’t appear to be linked to a single threat actor, it’s highly likely that multiple actors are at play.

ESET analysis revealed a notable shift from simplistic, opportunistic crimeware to more complex threats. Notably, researchers have observed a transition in targeting, moving from a focus on the general public to high-profile users, including businesses and governmental entities. These threat actors continually update their tools, introducing different evasion techniques to increase the success of their campaigns. Furthermore, while the LATAM region contains the vast majority of victims, in some cases we have seen an expansion of these campaigns targeting countries outside the region, with the actors taking their crimeware business beyond Latin America and mirroring the pattern seen in banking trojans born in Brazil.

“Our comparison also shows that the majority of malicious campaigns seen in the region are directed at enterprise users, including government sectors, by primarily employing spearphishing emails to reach potential victims. Attackers often masquerade as recognized organizations within specific countries in the region, particularly government or tax entities,” says Gutierrez.

The precision and specificity observed in these attacks point to a high level of targeting, indicating that the threat actors have detailed knowledge about their intended victims. In these campaigns, attackers utilize malicious components like downloaders and droppers, mostly created in PowerShell and VBS. Regarding the tools used in these malicious operations in Latin America, ESET observations indicate a preference for remote access trojans.

For more technical information about “Operation King TUT: The universe of threats in LATAM,” read the blog post on WeLiveSecurity. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Described cybercriminal activities were detected exclusively in LATAM countries