[ad_1]
A financially motivated risk actor tracked as Blind Eagle has resurfaced with a refined toolset and an elaborate an infection chain as a part of its assaults concentrating on organizations in Colombia and Ecuador.
Check Point’s newest analysis provides new insights into the Spanish-speaking group’s ways and methods, together with the usage of subtle instruments and government-themed lures to activate the killchain.
Also tracked underneath the title APT-C-36, Blind Eagle is notable for its slender geographical focus and launching indiscriminate assaults in opposition to South American nations since at the very least 2018.
Blind Eagle’s operations have been documented by Trend Micro in September 2021, uncovering a spear-phishing marketing campaign primarily geared toward Colombian entities designed to ship a commodity malware generally known as BitRAT, with a lesser focus in the direction of targets in Ecuador, Spain, and Panama.
Attacks chains start with phishing emails containing a booby-trapped hyperlink that, when clicked, results in the deployment of an open supply trojan named Quasar RAT with the final word aim of getting access to the sufferer’s financial institution accounts.
Some of focused banks consists of Banco AV Villas, Banco Caja Social, Banco de Bogotá, Banco Popular, Bancoomeva, BBVA, Colpatria, Davivienda, and TransUnion.
Should the e-mail recipient be situated exterior of Colombia, the assault sequence is aborted and the sufferer is redirected to the official web site of the Colombian border management company, Migración Colombia.
A associated marketing campaign singling out each Colombia and Ecuador masquerades because the latter’s Internal Revenue Service (SRI) and makes use of an identical geo-blocking expertise to filter out requests originating from different nations.
This assault, reasonably than dropping a RAT malware, employs a extra complicated multi-stage course of that abuses the authentic mshta.exe binary to execute VBScript embedded inside an HTML file to finally obtain two Python scripts.
The first of the 2, ByAV2.py, is an in-memory loader engineered to run a Meterpreter payload in DLL format. mp.py can be a Meterpreter artifact, solely it is programmed in Python, indicating that the risk actor may very well be utilizing considered one of them as a redundant methodology to retain backdoor entry to the host.
“Blind Eagle is a wierd hen amongst APT teams,” the researchers concluded. “Judging by its toolset and regular operations, it’s clearly extra desirous about cybercrime and financial acquire than in espionage.”
The growth comes days after Qualys disclosed that an unknown adversary is leveraging private data stolen from a Colombian cooperative financial institution to craft phishing emails that outcome within the deployment of BitRAT.