Cyber security researchers have shed light on a threat known as A blind eagle which has persistently targeted organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.
The targets of these attacks span multiple sectors, including government agencies, financial companies, and energy and oil and gas companies.
“Blind Eagle has demonstrated adaptability in shaping the targets of its cyberattacks and the versatility to switch between purely financially motivated attacks and espionage operations,” Kaspersky said. said in Monday’s report.
Also referred to as APT-C-36, Blind Eagle appears believed Since at least 2018, the suspected Spanish-speaking group has been known to use phishing lures to distribute various public remote access trojans, such as AsyncRAT, BitRAT, Lime RAT, NjRAT, Quasar RAT, and Remcos RAT.
Earlier in March this year, eSentire in detail the adversary’s use of a malware loader called Ande Loader to distribute the Remcos RAT and NjRAT.
The starting point is a phishing email impersonating legitimate government agencies and financial and banking organizations that deceptively warns recipients to take urgent action by clicking on a link that purports to take them to the fake organization’s official website.
The emails also include a PDF or Microsoft Word attachment containing the same URL, and in some cases, a few additional details designed to give it a greater sense of urgency and give it the appearance of legitimacy.
The first set of URLs directs users to actor-controlled sites hosting the initial dropper, but only after determining whether the victim is from a country targeted by the group. Otherwise, they end up on the website of an organization that the attackers impersonate.
“This geo-redirection prevents new malicious sites from being flagged, and also hinders the hunting and analysis of these attacks,” said the Russian cybersecurity vendor.
The initial drop comes as a compressed ZIP archive, which in turn embeds a Visual Basic Script (VBS) responsible for retrieving the next stage’s payload from a hardcoded remote server. These servers can range from image hosting sites to Pastebin and legitimate services like Discord and GitHub.
Second-stage malware, often obfuscated using steganographic techniques, is a DLL or .NET injector that then communicates with another malware server to produce the final stage Trojan.
“The group often uses process injection techniques to execute RATs in the memory of a legitimate process, thereby evading process-based defenses,” Kaspersky said.
“The dominant technique of the group process the gouge. This technique involves creating a legitimate process in a suspended state, then unmapping its memory, replacing it with a malicious payload, and finally resuming the process to begin execution.”
Using modified open-source versions of the RAT gives Blind Eagle the ability to change its campaigns at will, using them for cyberespionage or capturing credentials for Colombian financial services from a victim’s browser when window headers are matched against a predefined list of strings. in malware.
On the other hand, modified versions of NjRAT have been seen equipped with keyboard and screenshot capture capabilities to collect sensitive information. In addition, the updated version supports the installation of additional plugins sent from the server to extend its functionality.
Changes also apply to attack chains. As recently as June 2024, AsyncRAT was distributed via a malware downloader called Hijack bootloaderindicating a high level of adaptability on the part of the threat actors. It also serves to emphasize the addition of new methods to sustain their activities.
“As simple as BlindEagle’s methods and procedures may seem, their effectiveness allows the group to maintain a high level of activity,” Kaspersky concluded. “With consistent cyber espionage and financial credential theft campaigns, Blind Eagle remains a significant threat in the region.
