BlindEagle (APT-C-36) is an advanced persistent threat (APT) actor known for straightforward but effective attack methods, targeting entities in Colombia, Ecuador, Chile, Panama, and other Latin American countries.Target Sectors: The group focuses on governmental institutions, financial companies, energy, and oil and gas sectors.Attack Methods:
- Phishing: Uses spear phishing or generalized phishing emails impersonating governmental or financial institutions. Emails often contain malicious links or attachments that lead to malware.
- Geolocation Filtering: Employs URL shorteners with geographical detection to ensure attacks are only targeted at intended regions.
Malware Deployment:
- Initial Dropper: Delivered via phishing emails, often disguised as official documents. The dropper is typically a compressed file containing a Visual Basic Script or PowerShell commands.
- Intermediate Stage: Involves custom-built tools and may use less common file formats. The initial dropper contacts a server to download the next stage.
- Final Payload: Utilizes open-source Remote Access Trojans (RATs) such as njRAT, LimeRAT, BitRAT, and AsyncRAT, modified for their specific campaign objectives.
Techniques:
- Process Hollowing: Injects malicious code into legitimate processes to evade detection.
- Steganography: Hides malicious code in images or text files.
- DLL Sideloading: Recent campaigns have used DLL sideloading techniques with a new modular loader called “HijackLoader.”
Recent Activities:
- May and June Campaigns: Targeted Colombia with phishing emails containing documents that led to the deployment of AsyncRAT and other malware, utilizing Portuguese language artifacts and Brazilian hosting sites.
- Adaptability: The group shows flexibility in their tactics, adjusting their techniques and tools to maintain effectiveness and evade detection.
Ongoing Threat: Despite the simplicity of their methods, BlindEagle’s consistent use of effective techniques keeps them a significant threat, with continued adaptations in their strategies to enhance their impact.