Cybersecurity researchers have make clear a risk actor often called Blind Eagle that has persistently focused entities and people in Colombia, Ecuador, Chile, Panama, and different Latin American nations.
Targets of those assaults span a number of sectors, together with governmental establishments, monetary firms, vitality and oil and fuel firms.
“Blind Eagle has demonstrated adaptability in shaping the objectives of its cyberattacks and the versatility to switch between purely financially motivated attacks and espionage operations,” Kaspersky stated in a Monday report.
Additionally known as APT-C-36, Blind Eagle is believed to be lively since not less than 2018. The suspected Spanish-speaking group is understood for utilizing spear-phishing lures to distribute varied publicly obtainable distant entry trojans comparable to AsyncRAT, BitRAT, Lime RAT, NjRAT, Quasar RAT, and Remcos RAT.
Earlier this March, eSentire detailed the adversary’s use of a malware loader known as Ande Loader to propagate Remcos RAT and NjRAT.
The place to begin is a phishing e mail impersonating reputable governmental establishments and monetary and banking entities that deceptively warns recipients to take pressing motion by clicking on a hyperlink that purports to make them the official web site of the entity being mimicked.
The e-mail messages additionally embody a PDF or Microsoft Phrase attachment that accommodates the identical URL, and, in some instances, a number of further particulars designed to impart a heightened signal of urgency and lend it a veneer of legitimacy.
The primary set of URLs directs the customers to actor-controlled websites that host an preliminary dropper, however solely after figuring out if the sufferer belongs to a rustic that’s among the many group’s targets. Else, they’re led to the location of the group the attackers are impersonating.
“This geographical redirection prevents new malicious sites from being flagged, and thwarts hunting and analysis of these attacks,” the Russian cybersecurity vendor stated.
The preliminary dropper comes within the type of a compressed ZIP archive, which, in flip, embeds a Visible Primary Script (VBS) liable for retrieving the next-stage payload from a hard-coded distant server. These servers can vary from picture internet hosting websites to Pastebin to reputable companies like Discord and GitHub.
The second-stage malware, typically obfuscated utilizing steganographic strategies, is a DLL or a .NET injector that subsequently contacts yet one more malicious server to retrieve the ultimate stage trojan.
“The group often uses process injection techniques to execute the RAT in the memory of a legitimate process, thereby evading process-based defenses,” Kaspersky stated.
“The group’s preferred technique is process hollowing. This technique consists in creating a legitimate process in a suspended state, then unmapping its memory, replacing it with a malicious payload, and finally resuming the process to start execution.”
The usage of modified variations of open-source RATs offers Blind Eagle the flexibleness to switch their campaigns at will, utilizing them for cyber espionage or capturing credentials for Colombian monetary companies from the sufferer’s browser when the window titles are matched in opposition to a predefined checklist of strings within the malware.
However, altered variations of NjRAT have been noticed fitted with keylogging and screenshot-capturing capabilities to reap delicate data. Moreover, the up to date model helps putting in further plugins despatched from a server to enhance its performance.
The modifications additionally lengthen to the assault chains. As just lately as June 2024, AsyncRAT has been distributed by a malware loader dubbed Hijack Loader, suggesting a excessive degree of adaptability on the a part of the risk actors. It additionally serves to focus on the addition of latest methods to maintain their operations.
“As simple as BlindEagle’s techniques and procedures may appear, their effectiveness allows the group to sustain a high level of activity,” Kaspersky concluded. “By constantly executing cyber espionage and monetary credential theft campaigns, Blind Eagle stays a big risk within the area.
