BlindEagle APT Group: A Persistent Threat in Latin America

BlindEagle - APT-C-36
Phishing impersonating the Attorney General’s Office

Kaspersky Labs has issued a warning about BlindEagle, also known as APT-C-36, a persistent threat actor known for its targeted attacks in Latin America. Despite employing relatively simple techniques, BlindEagle has proven highly effective in carrying out both cyberespionage and financially motivated campaigns.

BlindEagle’s primary attack vector remains phishing, a technique that, despite its simplicity, has proven effective. The group’s phishing campaigns often masquerade as communications from legitimate governmental and financial institutions. For instance, emails posing as notifications from Colombia’s National Directorate of Taxes and Customs or the Ministry of Foreign Affairs are common lures used to entice victims into clicking malicious links.

Phishing impersonating the Attorney General’s Office

These emails are meticulously crafted to mimic official communications, complete with logos, formatting, and language that instill a sense of urgency. Victims are prompted to download attached PDF or Word documents, which contain further instructions and links to malware-hosting sites controlled by APT-C-36. The group’s clever use of URL shorteners and dynamic DNS services adds another layer of deception, helping them evade detection by redirecting users based on their geographical location.

Once a victim falls prey to the phishing email, BlindEagle employs a multi-stage infection process to deploy its final payload. The group is known for its use of publicly available Remote Access Trojans (RATs) such as njRAT, LimeRAT, BitRAT, and AsyncRAT, which are customized to suit the needs of each specific campaign. These RATs enable the group to spy on victims, steal sensitive information, and even intercept financial credentials.

BlindEagle’s infection chain typically begins with the victim downloading a compressed file that appears to be an official document. These files, often in lesser-known formats like LHA or UUE, are designed to trick the unsuspecting user into extracting and running the contents. The extracted files, usually Visual Basic Scripts or .NET assemblies, then initiate a series of actions to download the next stage of the attack from a remote server.

Throughout this process, BlindEagle utilizes process injection techniques, such as process hollowing, to evade detection. By injecting their malicious code into legitimate processes, the group can operate stealthily, bypassing traditional security measures and maintaining persistence within the compromised system.

BlindEagle’s versatility is evident in its ability to switch between cyber-espionage and financial attacks. In espionage campaigns, the group focuses on gathering sensitive information from government and corporate entities, often targeting key individuals within these organizations. For financial attacks, BlindEagle modifies its RATs to function as banking Trojans, intercepting credentials for online banking services.

A recent example of this adaptability was observed in a campaign where BlindEagle repurposed the Quasar RAT, typically used for espionage, as a banking Trojan targeting customers of Colombian financial institutions.

Targets have included individuals and organizations in Colombia, Ecuador, Chile, and Panama, spanning various sectors including government, education, health, and transportation.

Related Posts: