New APT Group ‘BlindEagle’ Strikes Organizations with Weaponized Emails

BlindEagle, also known as APT-C-36, is a persistent threat actor targeting Latin American entities across multiple sectors by employing basic yet effective techniques to conduct espionage and financially motivated cyberattacks. 

Active since at least 2018, BlindEagle demonstrates adaptability in operational goals, switching between intelligence gathering and monetary gain, while GReAT is actively tracking this threat actor’s evolving tactics, techniques, and procedures. 

Blind Eagle employs phishing as its primary attack vector, leveraging both spear-phishing for targeted espionage and generalized phishing for financial gain. 

Phishing and impersonating the Attorney General’s Office

Their phishing campaigns mimic reputable entities, including government agencies like Colombia’s tax and customs office, foreign affairs ministry, and attorney general’s office, as well as financial institutions, to deceive victims into compromising their systems. 

Attackers employ deceptive emails containing urgent notifications and malicious attachments to lure victims into clicking embedded links or opening attached documents, which lead to malware infection through initial dropper payloads hosted on attacker-controlled servers. 

To evade detection, the campaign utilizes geolocation filtering via URL shorteners, redirecting non-target country traffic to legitimate websites while delivering malware to targeted regions, hindering analysis and detection efforts. 

BlindEagle employs a multi-stage attack, initiating with phishing emails containing compressed attachments disguised as official documents. Extracted files, often VBScripts, download subsequent malicious payloads from various online locations. 

Steganography used in a BlindEagle campaign

These payloads are diverse, ranging from text files to .NET executables, and frequently obfuscated. The ultimate goal is to deploy a RAT for espionage and financial theft, with the group continually evolving tactics using different RATs and custom tools. 

The threat actor employs sophisticated techniques to deliver malicious payloads. Initial payloads, hidden within text files, images, or executable resources, are encoded using base64 or ASCII or concealed via steganography. 

An initial dropper extracts and decodes these payloads, resulting in a DLL or .NET injector that leverages process hollowing to inject the final payload, an open-source RAT, into the memory of a legitimate process, evading detection and execution in isolation. 

Cyber-espionage group BlindEagle employs a versatile attack strategy by repurposing open-source Remote Access Trojans (RATs) like AsyncRAT, njRAT, and Quasar RAT and customizing these tools for espionage and financial gain, demonstrating adaptability in their campaigns. 

A version of the Quasar RAT modified to steal financial credentials

For instance, Quasar RAT, typically used for espionage, was modified to function as a banking Trojan targeting Colombian financial institutions, showcasing the group’s ability to pivot between different attack objectives with minimal effort. 

A modified Quasar RAT variant steals financial credentials by monitoring browser activity, initiating keylogging for Colombian financial websites, and exfiltrating data to a command-and-control server. 

The threat actors further enhance the RAT’s capabilities by installing additional plugins, expanding its functionality beyond basic keylogging and system information theft to include remote desktop control and other malicious operations. 

According to Secure List, Blind Eagle, a persistent threat actor targeting Latin America, primarily Colombia, employs phishing, DLL sideloading, and modular malware loaders to deliver open-source RATs. 

The group leverages social engineering, public infrastructure, and basic obfuscation techniques for efficient distribution and execution of malicious payloads, demonstrating adaptability by introducing new TTPs such as Portuguese-language artifacts and HijackLoader. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here