Blind Eagle APT reemerges to target Colombian organisations

By
March 22, 2023
Soul Malware Asia Vietnam Thailand Indonesia Chinese Hackers Spear Phishing DLL Malware

The Blind Eagle threat group (APT-C-36) reemerges with a new phishing campaign targeting Colombian entities. This malicious threat group has exclusively targeted the earlier-mentioned country and Ecuador for about four years.

Based on reports, a researcher discovered the phishing campaign last month wherein the operators masquerade as a Colombian government agency to target relevant organisations connected with the impersonated sector.

The phishing campaign also targeted some entities in Spain, Ecuador, and Chile since the infection vector and adversarial tactics are similar to the current attack against Colombia.

 

The Blind Eagle APT operators use password-protected attachments written in Spanish.

 

According to investigations, the initial stage of the Blind Eagle APT phishing campaign begins with a malicious email containing a password-protected PDF attachment with a Spanish subject.

The actors use a lure request that prompts the email recipients to click on a link, which is a password-protected PDF, to view the alleged pending tax. The PDF includes a URL that impersonates the original website of the Directorate of National Taxes and Customs.

Once a user clicks the link, the email will bring them to a different website that downloads a second-stage payload from the public service Discord. Subsequently, the site will download the second-stage load that leads to the launch of AsyncRAT in the final stage of the infection method.

Threat analysts explained that the Blind Eagle threat group primarily uses well-known payloads in their operations, such as LimeRAT, RemcosRAT, QuasarRAT, AsyncRAT, and njRAT. In addition, this APT group leverages Dynamic DNS services, such as DuckDNS, to connect its remote access trojans to the targeted environment to send and receive instructions.

In a related incident, a financially motivated threat group used new tools to launch QuasarRAT on a financial institution in the same country.

Cybersecurity experts warn Colombian organisations to carefully review the legitimacy of incoming emails before accessing them since the latest cybercriminal operation has an obvious objective of information gathering and espionage.

All personnel of these organisations should verify the authenticity of every email and employ critical email security reviews to mitigate any chance of infections.

About the author

Leave a Reply