A monetarily motivated risk actor tracked as Blind Eagle has resurfaced with a refined toolset and an elaborate an infection chain as part of its attacks concentrating on companies in Colombia and Ecuador.
Check Point’s latest study delivers new insights into the Spanish-talking group’s practices and approaches, such as the use of advanced applications and governing administration-themed lures to activate the killchain.
Also tracked underneath the name APT-C-36, Blind Eagle is noteworthy for its narrow geographical target and launching indiscriminate attacks from South American nations considering the fact that at the very least 2018.
Blind Eagle’s functions have been documented by Trend Micro in September 2021, uncovering a spear-phishing marketing campaign mainly aimed at Colombian entities made to supply a commodity malware identified as BitRAT, with a lesser concentration toward targets in Ecuador, Spain, and Panama.
Attacks chains start with phishing emails made up of a booby-trapped connection that, when clicked, leads to the deployment of an open source trojan named Quasar RAT with the final objective of attaining access to the victim’s lender accounts.
Some of qualified banking institutions is made up of Banco AV Villas, Banco Caja Social, Banco de Bogotá, Banco Well-known, Bancoomeva, BBVA, Colpatria, Davivienda, and TransUnion.
Ought to the email receiver be found exterior of Colombia, the attack sequence is aborted and the target is redirected to the formal web site of the Colombian border manage agency, Migración Colombia.
A linked marketing campaign singling out both of those Colombia and Ecuador masquerades as the latter’s Interior Earnings Support (SRI) and can make use of a identical geo-blocking technology to filter out requests originating from other nations around the world.
This attack, fairly than dropping a RAT malware, employs a far more advanced multi-phase system that abuses the respectable mshta.exe binary to execute VBScript embedded inside of an HTML file to finally download two Python scripts.
The 1st of the two, ByAV2.py, is an in-memory loader engineered to run a Meterpreter payload in DLL structure. mp.py is also a Meterpreter artifact, only it is programmed in Python, indicating that the menace actor could be applying one particular of them as a redundant approach to keep backdoor obtain to the host.
“Blind Eagle is a strange bird amid APT groups,” the scientists concluded. “Judging by its toolset and typical operations, it is obviously more fascinated in cybercrime and monetary obtain than in espionage.”
The enhancement comes times after Qualys disclosed that an mysterious adversary is leveraging personalized info stolen from a Colombian cooperative bank to craft phishing email messages that final result in the deployment of BitRAT.
Found this posting exciting? Comply with us on Twitter and LinkedIn to browse much more exceptional articles we article.
Some parts of this article are sourced from:
thehackernews.com