Cybersecurity researchers have shed light on a threat actor known as Blind Eagle that has persistently targeted entities and individuals in Colombia, Ecuador, Chile, Panama, and other Latin American nations.
Targets of these attacks span several sectors, including governmental institutions, financial companies, energy and oil and gas companies.
"Blind Eagle has demonstrated adaptability in shaping the objectives of its cyberattacks and the versatility to switch between purely financially motivated attacks and espionage operations," Kaspersky said in a Monday report.
Also referred to as APT-C-36, Blind Eagle is believed to be active since at least 2018. The suspected Spanish-speaking group is known for using spear-phishing lures to distribute various publicly available remote access trojans such as AsyncRAT, BitRAT, Lime RAT, NjRAT, Quasar RAT, and Remcos RAT.
Earlier this March, eSentire detailed the adversary's use of a malware loader called Ande Loader to propagate Remcos RAT and NjRAT.
The starting point is a phishing email impersonating legitimate governmental institutions and financial and banking entities that deceptively warns recipients to take urgent action by clicking on a link that purports to lead them to the official website of the entity being mimicked.
The email messages also include a PDF or Microsoft Word attachment that contains the same URL, and, in some cases, a few additional details designed to impart a heightened sign of urgency and lend it a veneer of legitimacy.
The first set of URLs directs the users to actor-controlled sites that host an initial dropper, but only after determining if the victim belongs to a country that is among the group's targets. Else, they are led to the site of the organization the attackers are impersonating.
"This geographical redirection prevents new malicious sites from being flagged, and thwarts hunting and analysis of these attacks," the Russian cybersecurity vendor said.
The initial dropper comes in the form of a compressed ZIP archive, which, in turn, embeds a Visual Basic Script (VBS) responsible for retrieving the next-stage payload from a hard-coded remote server. These servers can range from image hosting sites to Pastebin to legitimate services like Discord and GitHub.
The second-stage malware, often obfuscated using steganographic methods, is a DLL or a .NET injector that subsequently contacts yet another malicious server to retrieve the final stage trojan.
"The group often uses process injection techniques to execute the RAT in the memory of a legitimate process, thereby evading process-based defenses," Kaspersky said.
"The group's preferred technique is process hollowing. This technique consists in creating a legitimate process in a suspended state, then unmapping its memory, replacing it with a malicious payload, and finally resuming the process to start execution."
The use of modified versions of open-source RATs gives Blind Eagle the flexibility to modify their campaigns at will, using them for cyber espionage or capturing credentials for Colombian financial services from the victim's browser when the window titles are matched against a predefined list of strings in the malware.
On the other hand, altered versions of NjRAT have been observed fitted with keylogging and screenshot-capturing capabilities to harvest sensitive information. Furthermore, the updated version supports installing additional plugins sent from a server to augment its functionality.
The changes also extend to the attack chains. As recently as June 2024, AsyncRAT has been distributed through a malware loader dubbed Hijack Loader, suggesting a high level of adaptability on the part of the threat actors. It also serves to highlight the addition of new techniques to sustain their operations.
"As simple as BlindEagle's techniques and procedures may appear, their effectiveness allows the group to sustain a high level of activity," Kaspersky concluded. "By consistently executing cyber espionage and financial credential theft campaigns, Blind Eagle remains a significant threat in the region.