The Blind Eagle gang staged a real massacre, indiscriminately attacking banks in South America

Friend

Professional
Messages
2,672
Reaction score
921
Points
113
The attackers use powerful hacking tools and one of the most complex infection chains in history.

Not long ago, reports began to emerge that the Spanish-speaking Blind Eagle group (tracked as APT-C-36) had once again returned to the cybercrime arena and brought with it an updated set of hacking tools, as well as one of the most sophisticated infection chains in the history of cyberattacks targeting Colombian and Ecuadorian organizations. All this was revealed by researchers from Check Point in their latest report.

Banks in Ecuador, Spain and Panama have become victims of phishing attacks:
Banco AV Villas
Banco Caja Social
Banco de Bogotá
Banco Popular
Bancoomeva
BBVA
Colpatria
Davivienda
TransUnion

It is known that hackers interrupt the attack if their victim is outside Colombia. In a similar way, they act in another malicious campaign where they impersonate the Ecuadorian Tax Service. However, in the latter case, Blind Eagle does not just deploy a Trojan on the victim's system, but conducts a much more cunning and sophisticated attack using a VBS script embedded in an HTML file. Through this script, two scripts written in Python are loaded:
ByAV2.py
mp.py

According to experts, Blind Eagle is not going to stop and will continue its attacks to make even more money on careless victims.

----------------------

In a new report, Kaspersky Lab researchers dissected a hacker group known as Blind Eagle (APT-C-36), which practices simple but effective attack tactics and techniques.

The group has been active since at least 2018 and targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries, focusing on various sectors including government agencies, finance and energy.

At the same time, Blind Eagle demonstrates adaptability and flexibility in targeting its attacks, switching between purely financially motivated campaigns and cyberespionage operations.

The Hispanic APT is known for using spear phishing or mass phishing, acting on behalf of government entities, to spread various publicly available Trojans, such as the AsyncRAT, BitRAT, Lime RAT, NjRAT, Quasar RAT, and Remcos RAT.

The starting point is a phishing email, through which recipients are warned about the need to respond urgently by clicking on a link that supposedly leads to the official website of the simulated organization.

The emails are also accompanied by a PDF or Microsoft Word file containing the same URL and, in some cases, a few additional details designed to give the message a heightened sense of urgency and a semblance of legitimacy.

The first set of URLs directs users to subject-controlled sites with the initial dropper hosted, but only after determining the victim's affiliation with a target country. Otherwise, to a real site.

Such geographic filtering prevents the detection of malicious sites and makes it difficult to track and analyze attacks.

The initial dropper comes in the form of a compressed ZIP archive, which in turn embeds Visual Basic Script, responsible for retrieving the next-stage payload from a hard-coded remote server (ranging from image hosting to Pastebin, Discord, and GitHub).

The second-stage malware, often disguised using steganographic techniques, is a DLL- or . A NET injector that subsequently contacts another server to retrieve the last-stage Trojan.

The group often uses process injection techniques to execute a RAT in the memory of a legitimate process, thereby bypassing process-based protection. The team's preferred method is to clean up the process.

BlindEagle uses the open-source RAT as the last link in their attack chain, which they modify in a way that suits the goals of their campaign.

This approach gives them the flexibility to adapt their malware with minimal effort, as they don't have to design implants from scratch.

The group has always been known for using simple but highly effective TTPs, as well as publicly available malware. However, during recent campaigns, LC has observed a change in the group's work towards "adapt or perish".

For example, in May of this year, the group implemented a new espionage campaign targeting Colombia using an infection process involving artifacts with strings and variable names entirely in Portugueselanguage and Brazilian hosting resources.

The changes have also been extended to attack chains. Most recently, in June, AsyncRAT was delivered via the Hijack Loader, indicating a high level of adaptability on the part of the threat actor.

Although BlindEagle's TTPs seem simple, their effectiveness allows the group to maintain a high level of activity.

In addition, the group is introducing alternative strategies into infection processes and new methods into the arsenal, while continuing to consistently carry out cyberespionage and theft of financial data.

• Source: https://securelist.com/blindeagle-apt/113414/
 
Top