Reports have surfaced that an organization threat actor known as Blind Eagle, also tracked as APT-C-336, has returned to the scene with a sophisticated toolset as well as one of the longest infection chains ever seen in cyberattacks against Ecuadorian and Colombian organizations.
Blind Eagle is an Spanish-speaking hacker organization. Recently, their latest:
- Techniques and tactics
- Useful tools
- Government-themed lures
Blind Eagle began attacking South American countries indiscriminately in 2018 due to its geographical narrowness. The Blind Eagle group’s activities were documented by T rend Micro in September 2021.
Targeted By Banks
Distribution of takes place via campaigns, primarily targeting Colombian entities. Less attention is given to the following countries.
- Ecuador
- Spain
- Panama
Here is a listing of banks targeted by the attack:
- Banco AV Villas
- Banco Caja Social
- Banco de Bogota
- Banco Popular
- Bancoomeva
- BBVA
- Colpatria
- Davivienda
- TransUnion
If the recipient of the email is not in Colombia, attack sequences will be aborted. The official Migracion Colombia website will redirect the victim.
A disguised organization calling itself the Ecuadorian Internal Revenue Service has waged a campaign to target Colombia and Ecuador similarly. It uses the same geoblocking technology to block requests from other countries.
Instead of dropping , this attack uses a multi-staged process. It exploits the legitimate binary mshta.exe rather than dropping an RAT. To download two Python scripts, execute VBScript inside an HTML file.
Below are the two Python scripts:
- ByAV2.py
- mp.py
Blind Eagle is an unusual breed of APT group regarding attacks. Based on the organization’s toolset, routine operations and other activities, it seems to be more concerned with cybercrime than espionage.
Secure Web Gateway, Web Filter Rules Activity Tracking and Malware Protection.