New APT Group BlindEagle Attacking Multiple Organizations Via Weaponized Emails

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

BlindEagle (APT-C-36) is a Latin American Advanced Persistent Threat group that has been active since 2018. It targets the governmental, financial, and energy sectors in Colombia, Ecuador, Chile, Panama, and other regional countries. 

BlindEagle is known for employing straightforward yet impactful techniques; the group demonstrates versatility in switching between financially motivated attacks and espionage operations.

Cybersecurity researchers at Kaspersky Lab recently identified this new group, which was found to be attacking multiple organizations via weaponized emails.

APT Group BlindEagle Attacking Organizations

BlindEagle, an advanced threat actor, carries out multi-stage attacks, which start with phishing emails disguised as government and financial institutions.

Phishing impersonating the Attorney General’s Office (Source – Securelist)

To avoid detection, their campaigns apply geolocation-based filtering through URL shorteners so that they can only reach specific regions.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Typically, the initial infection vector is compressed files in different formats, including some less popular ones like LHA or UUE, which contain Visual Basic Scripts.

These scripts use WScript, XMLHTTP objects, or PowerShell to download further payloads from attacker-controlled servers or public platforms such as Pastebin or GitHub.

The group’s malware deployment advances through a number of stages incorporating encoded or obfuscated artifacts often exploiting steganography techniques and topping in modified open-source Remote Access Trojans (RATs).

Steganography used in a BlindEagle campaign (Source – Securelist)

It is possible to tell by the different RATs like njRAT, LimeRAT, BitRAT, and AsyncRAT that the group uses by frequently switching between them in line with specific campaigns’ goals such as stealing money via the internet or cyber espionage.

They use process injection techniques, mainly process hollowing, to avoid being detected where the last payload is executed on legitimate processes’ memory space.

The team modifies their RATs with improved information collection abilities, additional plugin installation features, and, in some cases, a special capability of intercepting bank account credentials developed, showing how they can fit them according to victims’ requirements or what exactly each campaign intends to achieve, reads the report.

BlindEagle was previously recognized as using simple tactics such as basic phishing and off-the-shelf malware. But more recently, the group has demonstrated more complex methods against its targets.

In May 2023, they conducted a campaign that included artifacts with Portuguese language characteristics and employed Brazilian image-hosting sites, possibly showing cooperation with other groups.

In the following month, there was an attack in June where the DLL sideloading technique was used, and HijackLoader, a new modular malware loader, was unleashed.

TTPs

Here below we have mentioned all the TTPs:-

  • Phishing
  • Malicious Attachments
  • URL Shorteners
  • Dynamic DNS
  • Public Infrastructure
  • Process Hollowing
  • VBS Scripts/.NET Assemblies
  • Open-source RATs

Phishing emails purporting to be from Colombian judicial institutions start these attacks with malicious PDF or DOCX attachments containing files that appear legitimate but trick victims into downloading and running them.

While Colombia remains an important destination for them, with 87% of victims located there, BlindEagle also operates in Ecuador, Chile, and Panama.

Various areas, including government, education, health, and transport, are affected by their campaigns.BlindEagle continues to represent a serious threat in the area through its repeated implementation of cyber-espionage as well as financial credential theft campaigns.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces