Cybersecurity experts have uncovered the activities of a threat actor known as Blind Eagle, which has persistently targeted entities and individuals across Colombia, Ecuador, Chile, Panama, and other Latin American countries.
The victims of these attacks span various sectors, including government institutions, financial organizations, and energy and oil and gas companies.
According to a Monday report by Kaspersky, “Blind Eagle has shown adaptability in adjusting the goals of its cyberattacks and the flexibility to switch between attacks driven by financial gain and espionage operations.”
Also known as APT-C-36, Blind Eagle is believed to have been active since at least 2018. This suspected Spanish-speaking group is notorious for employing spear-phishing techniques to distribute various publicly available remote access trojans such as AsyncRAT, BitRAT, Lime RAT, NjRAT, Quasar RAT, and Remcos RAT.
Earlier this March, eSentire detailed the group’s use of a malware loader named Ande Loader to propagate Remcos RAT and NjRAT.
The attack begins with a phishing email that pretends to be from legitimate government institutions or financial and banking entities. This email urges recipients to urgently click a link that purportedly leads to the official website of the entity being impersonated.
These emails often include a PDF or Microsoft Word attachment with the same URL and, in some cases, additional details intended to create a sense of urgency and add an appearance of legitimacy.
The first set of URLs directs users to sites controlled by the attackers, which host an initial dropper. This dropper checks whether the victim is from a targeted country before either delivering the malicious payload or redirecting them to the site of the organization being impersonated.
“This geographic redirection prevents new malicious sites from being detected and complicates efforts to track and analyze these attacks,” said the Russian cybersecurity firm.
The initial dropper is a compressed ZIP archive containing a Visual Basic Script (VBS) that retrieves the next stage payload from a hard-coded remote server. These servers can range from image hosting sites and Pastebin to legitimate services like Discord and GitHub.
The second-stage malware, often obfuscated with steganographic techniques, is a DLL or .NET injector that contacts another malicious server to download the final stage trojan.
“The group frequently uses process injection techniques to execute the RAT within the memory of a legitimate process, thereby bypassing process-based defenses,” Kaspersky noted.
“The preferred technique is process hollowing, which involves creating a legitimate process in a suspended state, unmapping its memory, replacing it with a malicious payload, and then resuming the process to execute.”
Blind Eagle’s use of modified open-source RATs allows them to adapt their campaigns as needed, whether for cyber espionage or capturing credentials for Colombian financial services from the victim’s browser by matching window titles to a predefined list of strings in the malware.
Conversely, modified versions of NjRAT have been observed with keylogging and screenshot-capturing capabilities to collect sensitive information. The updated versions also support installing additional plugins from a server to enhance functionality.
The changes also extend to the attack chains. As recently as June 2024, AsyncRAT was distributed via a malware loader named Hijack Loader, demonstrating the threat actors’ high level of adaptability and the introduction of new techniques to maintain their operations.
“As straightforward as Blind Eagle’s techniques and procedures might seem, their effectiveness enables the group to maintain a high level of activity,” Kaspersky concluded. “By consistently executing cyber espionage and financial credential theft campaigns, Blind Eagle remains a significant threat in the region.”