An ongoing hacking campaign organized by the threat actor group Blind Eagle (also known as APT-C-36) has been spotted targeting individuals across South America.
Security experts at Check Point Research (CPR) have published their findings in a new report. Recommendation Published Thursday, it describes a new infection chain that includes an advanced toolset.
“Over the past few months, we have been observing an ongoing campaign organized by Blind Eagle. [tactics, techniques and procedures] The above TTP is a phishing email impersonating the Colombian government,” the team wrote.
“One classic example is an email purported to be from the Ministry of Foreign Affairs, threatening that there will be problems when the recipient leaves the country unless the recipient solves the bureaucratic problem.”
According to CPR, the malicious email contained a link and a PDF file that directed the unfortunate victim to the same link.
By clicking on the link, your incoming HTTP request will be analyzed to see if it originated outside of Colombia.
In that case, the server aborts the infection chain and redirects the client to the actual website of the Immigration Department of the Ministry of Foreign Affairs of Colombia. However, if the incoming request arrives from Colombia, the infection chain will proceed as scheduled.
“The server responds to the client with a file for download. This is a malware executable hosted on file-sharing service MediaFire.” CPR explained.
“This file is compressed like a ZIP file using the LHA algorithm. It’s in both the email and the attached PDF.”
The executable in the archive is Quasar RAT It has several new features, including the ability to activate and deactivate system proxies.
Another variant was discovered by CPR targeting Ecuador and impersonating the Ecuadorian Internal Revenue Service.
“This latest campaign targeting Ecuador highlights how Blind Eagle has matured as a threat in recent years. Experiment with infection chains and read ‘Living off the Land’. CPR recommendations.
“If what we’ve seen is any indication, this group is worth keeping an eye on so victims aren’t caught off guard by their next trick.”
The advisory comes weeks after Colombian healthcare provider Keralty reported a ransomware attack in December 2022.
