BlindEagle, also known as “APT-C-36,” is an advanced persistent threat (APT) group recognized for its straightforward yet impactful attack techniques and methodologies. The group has been persistently targeting entities and individuals in Colombia, Ecuador, Chile, Panama and other countries in Latin America, with a focus on governmental institutions, financial companies, energy, oil & gas companies, and education, health, and transportation organizations.
Researchers observed espionage campaigns from the group during May and June, when the group focused on individuals and organizations within Colombia, with the region accounting for about 87% of victims.
Phishing Campaigns of BlindEagle
Kaspersky researchers noted that during attacks on Colombia, the BlindEagle group employed a process involving Portuguese artifacts within strings and variable names, unlike the use of Spanish artifacts in previous campaigns. They also observed the use of Brazilian image hosting sites within operations, suggesting that these newer elements could be related to the involvement of third parties or outsourcing to bolster operational range.
While the June campaign incorporated usual tactics, it also incorporated DLL sideloading and a new modular malware loader dubbed “HijackLoader.” The attack had been orchestrated through the use of various phishing emails mimicking Colombia’s judicial institutions, with malicious PDF or DOCX file attachments purporting to be demand notices or court summons.
The emails intend to trick victims into accessing the attached files and clicking on embedded links to download documents as a misguided attempt to resolve the alleged legal issues. Victims unintentionally load malicious artifacts on to their systems from attacker-controlled servers.
One notable aspect of their phishing campaigns is geolocation filtering, which redirects victims from non-target countries to the official website of the impersonated entity, making it difficult to detect and analyze the attack.
The group’s use of URL shorteners and public infrastructure, such as image hosting sites and GitHub repositories, allows them to evade detection and create a complex attack chain. Once the initial dropper is downloaded, it extracts and runs files from a compressed archive, which may contain Visual Basic Scripts, XMLHTTP objects, or PowerShell commands.
These scripts contact a server to download a malicious artifact, which can be a text file, image, or .NET executable.
Adaptability and Evolution
BlindEagle’s adaptability is a key factor in their success. They employ various open-source RATs, such as njRAT, LimeRAT, and AsyncRAT, depending on the campaign objectives. They have been observed to modify these tools to suit their needs, adding new capabilities and features. In some cases, they have repurposed espionage malware to conduct financial attacks, demonstrating their flexibility in achieving their goals.
The researchers note that the evolution in the group’s tactics demonstrate BlindEagle’s willingness to adapt and improve attack methods, presenting a credible threat to entities and individuals in Latin America.