Go to listing page

Blind Eagle Re-appears in a Phishing Campaign to Target Colombian Entities

Blind Eagle Re-appears in a Phishing Campaign to Target Colombian Entities
Blind Eagle, also known as APT-C-36, is back in a new campaign, targeting multiple entities in Colombia. The notorious hacking group has been actively targeting organizations in Colombia and Ecuador since at least 2019.

What’s the latest update?

  • According to researchers at BlackBerry, the campaign was first traced on February 20 wherein threat actors impersonated a Colombian government tax agency to target key industries.
  • Based on the infection vector and other adversarial tactics, researchers believed that the campaign targeted some organizations in Chile, Spain, and Ecuador.

Infection process

The initial stage of the campaign starts with a phishing email containing a password-protected PDF attachment, with a subject line written in Spanish.
  • The bait requests the recipients to click on a link that comes in the form of a password-protected PDF to view the pending tax. 
  • The PDF contains a URL that mimics the original website of the Directorate of National Taxes and Customs (DIAN). 
  • If the user clicks on it, they are redirected to a different site that downloads a second-stage payload from the public service Discord.
  • The second-stage payload is downloaded in the form of PDF files that ultimately lead to the deployment of AsyncRAT in the final stage of the infection process.

A brief about Blind Eagle’s most used malware

  • Blind Eagle APT mainly uses AsyncRAT, njRAT, QuasarRAT, LimeRAT, and RemcosRAT in its campaigns. 
  • The hacking group leverages Dynamic DNS (DDNS) services, such as DuckDNS, to connect its RATs to the infrastructure to send and receive commands.
  • Last month, the financially-motivated threat group was found using new tools to deploy QuasarRAT on banking systems in Colombia.

Final notes

As the latest campaign continues to operate for the purposes of information theft and espionage, it is recommended that organizations must thoroughly check the legitimacy of emails before opening any attachments embedded. They must verify the sender’s address and apply necessary email security checks to thwart the attack in its initial stage.
Cyware Publisher