‘BlindEagle’ Sends Phishing Emails Impersonating Govt and Banks in Latin America

• The BlindEagle APT group was seen impersonating various government entities and more in a phishing campaign deploying RATs.
• The versatile threat actor tweaks the malware strains to suit espionage or financial attacks.
• This campaign targets victims in Latin America and redirects users located outside their focus.

The BlindEagle threat actor, also known as APT-C-36, is persistently targeting Colombia, Ecuador, Chile, Panama, and other Latin American countries’ entities and individuals in several sectors, including governmental institutions, financial companies, energy, and oil and gas, according to the latest report from cyber-security company Kaspersky. 

The suspected Spanish-speaking BlindEagle APT is believed to have been active since at least 2018 and was seen recently sending phishing emails either via spear phishing for targeted espionage attacks or more generalized phishing for financial attacks. 

Sometimes, malicious emails impersonate legitimate governmental institutions and financial and banking entities.

The phishing emails that invoked taking urgent action appeared to come from Colombia’s National Directorate of Taxes and Customs, Ministry of Foreign Affairs, and Office of the Attorney General, among others.

Source: Kaspersky

Each email contains the same message and URL in both its body and an attached PDF or Word file. The link usually points to DDNS services and redirects to public repositories or attacker-owned sites that mimic the impersonated entity and host malware implants.

The initial dropper is typically a compressed file, such as ZIP, LHA, or UUE, which purports to be an official document from the spoofed government or financial entity that would solve the false issue presented in the email message.

Unsuspecting users extract Visual Basic Scripts that use WScript, XMLHTTP objects, or PowerShell commands that contact an attacker-controlled server or public infrastructure, such as image hosting sites, text storage sites like Pastebin, CDN services like Discord, or developer platforms like GitHub to download malware.

The second stage employs encoded or obfuscated text files, images, and .NET executables. Images are obfuscated via steganography techniques, and executables typically pretend to be legitimate while hiding the next malicious payload within their resource. 

The final payload is an open-source RAT, often executed in the memory of a legitimate process to evade detection.

The hackers deploy both financially motivated attacks and espionage operations, distributing publicly available remote access trojans such as NjRAT, AsyncRAT, BitRAT, Lime RAT, Quasar RAT, and Remcos RAT, which they alter to suit each campaign’s target.

A modified version of the espionage Quasar RAT was used as a banking Trojan to target customers of financial institutions in Colombia. It could collect browser data for intercepting banking credentials and also showed monitoring capabilities for newly opened browser windows, initiating keylogging if the tabs matched a list of strings relating to ten Colombian financial entities.

Modified versions of the njRAT malware, with the same keylogging and application monitoring capabilities, were used for cyber espionage operations while adding data exfiltration and additional plugin installation.

They often use URL shorteners with geo-location filtering capabilities, redirecting the user to the official website of the entity the cybercriminals were pretending to be.