The notorious cybercriminal group BlindEagle, also known as APT-C-36, has been observed refining its tactics and expanding its reach across Latin America. First identified in 2018, this threat actor has recently updated its cyber espionage campaigns, primarily targeting individuals and organizations in Colombia and neighboring countries.
Expanded Scope and Sophisticated Techniques
According to recent findings by Kaspersky Lab, BlindEagle has broadened its target list to include government institutions, energy and oil & gas companies, and financial organizations in Colombia, Ecuador, Chile, Panama, and other Latin American countries. Notably, in May and June 2024, a staggering 87% of the group’s victims were located in Colombia, underscoring the country’s significance in their operations.
The primary objectives of BlindEagle remain consistent: espionage and theft of financial information. To achieve these goals, the group employs a variety of open-source remote access trojans (RATs), including well-known malware such as njRAT, Lime-RAT, BitRAT, and AsyncRAT.
Evolution of Attack Vectors
njRAT: The Swiss Army Knife of Cyber Espionage
In their May 2024 campaign, BlindEagle predominantly utilized njRAT as their weapon of choice. This versatile trojan enables attackers to capture keystrokes, access webcams, gather system information, take screenshots, and perform various other covert activities. The latest versions of njRAT support plugin functionality, allowing attackers to extend its capabilities with additional espionage modules.
Leveraging Brazilian File-Sharing Services
In a notable shift, BlindEagle has begun incorporating Portuguese language elements and Brazilian domains in their multi-stage malware delivery process. This tactic suggests potential collaboration with other threat actors and demonstrates the group’s adaptability. For instance, they’ve been observed using a Brazilian image hosting site to distribute malicious code, departing from their previous reliance on services like Discord or Google Drive.
DLL Sideloading: A New Addition to the Arsenal
June 2024 saw BlindEagle launch a distinct campaign featuring DLL sideloading, a technique previously uncommon in their operations. This attack vector involved distributing malicious files disguised as fake court documents in PDF and DOCX formats, packaged within ZIP archives containing additional malicious components. This campaign leveraged the AsyncRAT trojan for remote access.
Infection Chain and Social Engineering
BlindEagle’s attacks typically begin with targeted phishing emails. These messages often masquerade as communications from government organizations, notifying victims of traffic violation fines. The emails contain malicious attachments that appear to be PDF files but actually conceal harmful VBS scripts. These scripts initiate a multi-stage process to infect the victim’s system with malware.
The group’s increasing use of Brazilian file-sharing services and Portuguese language elements in their campaigns indicates a potential expansion of their operational scope and collaborations. This evolution highlights the dynamic nature of cyber threats and the importance of maintaining robust, adaptive cybersecurity measures.
As BlindEagle continues to refine its tactics and expand its reach, organizations across Latin America must remain vigilant. Implementing comprehensive security awareness training, regularly updating software and security solutions, and maintaining a proactive threat intelligence posture are crucial steps in defending against these evolving cyber threats. The cybersecurity community must stay informed and collaborative to effectively counter the persistent menace posed by groups like BlindEagle.
