‘BlindEagle’ Sends Phishing Emails Impersonating Govt and Banks in Latin America

Published on August 20, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

The BlindEagle threat actor, also known as APT-C-36, is persistently targeting Colombia, Ecuador, Chile, Panama, and other Latin American countries’ entities and individuals in several sectors, including governmental institutions, financial companies, energy, and oil and gas, according to the latest report from cyber-security company Kaspersky. 

The suspected Spanish-speaking BlindEagle APT is believed to have been active since at least 2018 and was seen recently sending phishing emails either via spear phishing for targeted espionage attacks or more generalized phishing for financial attacks. 

Sometimes, malicious emails impersonate legitimate governmental institutions and financial and banking entities.

The phishing emails that invoked taking urgent action appeared to come from Colombia’s National Directorate of Taxes and Customs, Ministry of Foreign Affairs, and Office of the Attorney General, among others.

Phishing Email from BlindEagle
Image Credits: Kaspersky

Source: Kaspersky

Each email contains the same message and URL in both its body and an attached PDF or Word file. The link usually points to DDNS services and redirects to public repositories or attacker-owned sites that mimic the impersonated entity and host malware implants.

The initial dropper is typically a compressed file, such as ZIP, LHA, or UUE, which purports to be an official document from the spoofed government or financial entity that would solve the false issue presented in the email message.

Unsuspecting users extract Visual Basic Scripts that use WScript, XMLHTTP objects, or PowerShell commands that contact an attacker-controlled server or public infrastructure, such as image hosting sites, text storage sites like Pastebin, CDN services like Discord, or developer platforms like GitHub to download malware.

The second stage employs encoded or obfuscated text files, images, and .NET executables. Images are obfuscated via steganography techniques, and executables typically pretend to be legitimate while hiding the next malicious payload within their resource. 

Malicious Phishing Code BlindEagle
Image Credits: Kaspersky

The final payload is an open-source RAT, often executed in the memory of a legitimate process to evade detection.

The hackers deploy both financially motivated attacks and espionage operations, distributing publicly available remote access trojans such as NjRAT, AsyncRAT, BitRAT, Lime RAT, Quasar RAT, and Remcos RAT, which they alter to suit each campaign’s target.

A modified version of the espionage Quasar RAT was used as a banking Trojan to target customers of financial institutions in Colombia. It could collect browser data for intercepting banking credentials and also showed monitoring capabilities for newly opened browser windows, initiating keylogging if the tabs matched a list of strings relating to ten Colombian financial entities.

Modified versions of the njRAT malware, with the same keylogging and application monitoring capabilities, were used for cyber espionage operations while adding data exfiltration and additional plugin installation.

They often use URL shorteners with geo-location filtering capabilities, redirecting the user to the official website of the entity the cybercriminals were pretending to be.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: