Blind Eagle Re-appears in a Phishing Campaign to Target Colombian Entities

What’s the latest update?

• According to researchers at BlackBerry, the campaign was first traced on February 20 wherein threat actors impersonated a Colombian government tax agency to target key industries.
• Based on the infection vector and other adversarial tactics, researchers believed that the campaign targeted some organizations in Chile, Spain, and Ecuador.

Infection process

• The bait requests the recipients to click on a link that comes in the form of a password-protected PDF to view the pending tax. 
• The PDF contains a URL that mimics the original website of the Directorate of National Taxes and Customs (DIAN). 
• If the user clicks on it, they are redirected to a different site that downloads a second-stage payload from the public service Discord.
• The second-stage payload is downloaded in the form of PDF files that ultimately lead to the deployment of AsyncRAT in the final stage of the infection process.

A brief about Blind Eagle’s most used malware

• Blind Eagle APT mainly uses AsyncRAT, njRAT, QuasarRAT, LimeRAT, and RemcosRAT in its campaigns. 
• The hacking group leverages Dynamic DNS (DDNS) services, such as DuckDNS, to connect its RATs to the infrastructure to send and receive commands.
• Last month, the financially-motivated threat group was found using new tools to deploy QuasarRAT on banking systems in Colombia.

Final notes