threat actor known as blind eagle Linked to new campaigns targeting different major Colombian industries.
Detected by the BlackBerry Research and Intelligence Team on February 20, 2023, the activity is said to extend to Ecuador, Chile, and Spain, adding to the slowly growing footprint of the hacking group’s victims. suggests that
Targeted groups include health, financial, law enforcement, immigration, and agencies responsible for peace negotiations in Colombia, according to a Canadian cybersecurity firm.
Blind Eagle, also known as APT-C-36, was recently covered by Check Point Research detailing the attacker’s advanced toolset, including a Meterpreter payload delivered via spear phishing emails.
The latest series of attacks involved a group impersonating the National Directorate of Taxes and Customs (DIAN), the Colombian government’s tax agency, using lures urging recipients to settle their “unpaid obligations.” Use to phish your target.
A well-crafted email message contains a link to a PDF file purportedly hosted on DIAN’s website, but actually deploys malware to the targeted system, effectively Start the infection chain.
A BlackBerry researcher said, “The fake DIAN website page includes a button that invites victims to download a PDF and view what they claim is a pending tax invoice. ‘ said.
“Clicking the blue button will initiate the download of a malicious file from the Discord Content Delivery Network (CDN) that the attackers are exploiting in this phishing scam.”
The payload is an obfuscated Visual Basic Script (VBS) .NET-based DLL file that runs when the “PDF” file is opened and uses PowerShell to ultimately load AsyncRAT into memory. to get
“malicious [remote access trojan] A threat actor installed on a victim’s machine can connect to an infected endpoint at any time and perform any desired action,” said the researchers.
Is your business ready for the top SaaS 🛡️ security challenges of 2023? Learn how to tackle them – join the webinar today!
It is also worth noting that threat actors are using dynamic DNS services such as DuckDNS to remotely take over compromised hosts.
Blind Eagle is suspected to be a Spanish-speaking group due to the use of Spanish in their spear-phishing emails. However, it is currently unknown where the threat actor is based and whether the motivation for the attack is espionage or financial gain.
“The modus operandi used remained largely the same as the group’s previous efforts. It could mean that we are confident in using them because we have them,” BlackBerry said.
