In a sophisticated cyberespionage campaign, the BlindEagle threat actor has once again targeted Colombian government institutions.
This latest operation specifically zeroed in on an agency under the Ministry of Commerce, Industry, and Tourism, leveraging a highly effective strategy to bypass standard email security protocols.
By compromising an internal email account within the target organization, the attackers sent phishing emails that appeared to originate from a legitimate internal source.
This method allowed them to circumvent SPF, DKIM, and DMARC checks, ensuring the malicious messages reached their intended victims without triggering alarms.
The phishing emails were crafted to mimic official notifications from the Colombian judicial branch and referenced a fabricated labor lawsuit.
Designed to instill urgency and fear, the messages threatened legal action to pressure recipients to download an attached SVG image.
.webp "BlindEagle Hackers Attacking Organization to Abuse Trust and Bypass Email Security Controls 3")
This social engineering tactic effectively lured victims into initiating the infection process.
Following this initial compromise, Zscaler analysts noted that the attack chain is remarkably complex, employing multiple layers of obfuscation and legitimate web services to conceal its activities.
When a victim interacts with the SVG attachment, they are redirected to a fraudulent web portal that closely resembles a legitimate government site.
.webp "BlindEagle Hackers Attacking Organization to Abuse Trust and Bypass Email Security Controls 4")
This portal automatically delivers a malicious JavaScript file, triggering a fileless infection sequence that relies on in-memory execution to evade detection by traditional antivirus solutions.
Infection Mechanism
The infection mechanism is a multi-stage process involving nested scripts and steganography. The initial JavaScript snippets deobfuscate subsequent payloads using a custom algorithm.
As shown in the code snippet below, the malware reconstructs executable code by processing arrays of integers to build the next stage.
def deobfuscate(obf_code: List[int], step: int) -> str:
deobf_code = ""
for i in obf_code:
c = int_to_char(i - step)
deobf_code += c
return deobf_codeThis sequence eventually executes a PowerShell command via Windows Management Instrumentation, as detailed in the decoded BlindEagle PowerShell command.
.webp "BlindEagle Hackers Attacking Organization to Abuse Trust and Bypass Email Security Controls 5")
This command retrieves a PNG image from the Internet Archive that contains a hidden payload. The payload is the Caminho downloader, a malware variant of Portuguese origin, as evidenced by internal argument names such as “caminho”.
This specific downloader is designed to retrieve the final payload from a Discord CDN URL, specifically a text file named AGT27.txt. Caminho then connects to the URL and decodes the file in memory.
Finally, the DCRAT Remote Access Trojan is injected into a hollowed-out MSBuild.exe process. This final step provides the attackers with extensive capabilities, including keylogging and data exfiltration, granting them full control over the compromised system while hiding within a trusted Windows process.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
