The threat actor known as Blind eagle has been linked to a new campaign targeting various key industries in Colombia.
The activity, discovered by the BlackBerry Research and Intelligence Team on February 20, 2023, is also said to include Ecuador, Chile and Spain, suggesting a slow expansion of the hacker group’s victimology footprint.
Targeted entities include health, finance, law enforcement, immigration and an agency responsible for peace negotiations in Colombia, the Canadian cybersecurity company said.
Blind Eagle, also known as APT-C-36, was recently covered by Check Point Research, detailing the adversary’s advanced toolkit consisting of Meterpreter payloads delivered via spear-phishing emails.
The latest set of attacks involves the group posing as Colombia’s state tax agency, the National Directorate of Taxes and Customs (DIAN), to phish its targets using lures that encourage recipients to settle “outstanding obligations” .
The crafted emails come with a link that points to a PDF file that purports to reside on DIAN’s website, but actually deploys the malware on the targeted system, effectively launching the infection chain.
“The fake DIAN website contains a button that prompts the victim to download a PDF to view what the website claims to be pending tax invoices,” BlackBerry researchers said.
“Clicking the blue button starts the download of a malicious file from Discord’s content delivery network (CDN), which the attackers are exploiting in this phishing scam.”
The payload is an obfuscated Visual Basic Script (VBS), which runs when the “PDF” file is opened and uses PowerShell to retrieve a .NET-based DLL file that ultimately loads AsyncRAT into memory.
“A malicious one [remote access trojan] installed on a victim’s machine enables the threat actor to connect to the infected endpoint anytime they want and perform any operation they want,” the researchers said.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize your risk.
RESERVE YOUR SEAT
Also noteworthy is the threat actor’s use of dynamic DNS services such as DuckDNS to remotely control the compromised hosts.
Blind Eagle is suspected of being a Spanish-speaking group due to the use of the language in its spear-phishing emails. However, it is currently unclear where the threat actor is based and whether their attacks are motivated by espionage or financial gain.
“The modus operandi used has been largely the same as the group’s previous efforts – it is very simple, which could mean that this group is comfortable with its way of launching campaigns via phishing emails and feels confident in to use them because they keep working,” BlackBerry said.
