Summary
APT-C-36 or Blind Eagle (BE) is an APT group that is believed to originate from South America. BE has been carrying out attacks against Colombian government institutions, to include the financial sector, petroleum industry and professional manufacturing. BE has been active since April 2018. Affected targets include Ecopetrol (Colombian Oil Company), Banco Agrario (State Financial Institution) and IMSA (Colombian Wheel Manufacturer). It is possible BE is involved in recent geopolitical events supporting pro-Maduro Venezuela.
Figure 1. Email send to Colombian Bank, Banco de Occidente
Attacks on Colombia
To attack the various Colombian institutions, BE sends out emails containing phishing URL’s as well as downloadable .rar files.[1] One example of a phishing URL is “diangovcomuiscia[.]com” which is made to look like “muiscia.dian.gov[.]co”. The .rar files sent are usually password protected and encrypted with the password to access the files located within the email body.
Figure 2. Email body with the password for the .rar file
The senders of this email use proxies and VPN’s to hide their original IP, so it is not currently found. However, the IP’s they do use are all based out of the US, Florida (Found in Indicators Table).[2] The most recent attack came on 14 February 2019, which targeted the Columbias National Institude for the Blind and appeared to be sent from the Columbia National Civil Registry.[3] BE is suing Spanish language coding.
Involvement in Venezuela
Blind Eagle is also believed to be behind phishing attempts in Venezuela. BE is trying to hack the accounts of pro-Juan Guaido activists who oppose Nicholas Maduro. The attackers are using a phishing domain to trick users for their credentials.
The phishing site, voluntariosvenezuela[.]com which is based off the real Pro-Guaido site voluntariosxvenezuela[.]com, is being used to try and rally the activism. Users trying to go to the real site are redirected to the phishing site by the state-controlled media outlet - ISP CANTV,[4] which remains pro-Maduro.
Conclusion
Blind Eagle is an effective hacking group specializing in phishing emails, primarily attacking Colombia and active in supporting the Maduro regime in Venezuela. This APT group is believed to be South American based, due to the Spanish coded malware. Until the source IP is discovered, analysts cannot rule out outside attribution through countries who remain sympathetic to Maduro. Due to Blind Eagle actively attacking Colombia, which is opposing the Maduro regime, and conducting pro-Maduro hacking activities, the group may be inside Venezuela or in a country who continues to support N. Maduro (Cuba, Russia, China, Iran, Turkey, South Africa – South American counties: Bolivia, Nicaragua, El Salvador and Suriname).
Indicators:
Indicator |
Type |
Kill_Chain_Phase |
First_Seen |
Last_Seen |
Comments |
Attribution |
128.90.106.22 |
IP |
NA |
02/21/2019 |
02/21/2019 |
Florida IP used in phishing campaign |
UKN |
128.90.107.21 |
IP |
NA |
02/21/2019 |
02/21/2019 |
Florida IP used in phishing campaign |
UKN |
128.90.107.189 |
IP |
NA |
02/21/2019 |
02/21/2019 |
Florida IP used in phishing campaign |
UKN |
128.90.107.236 |
IP |
NA |
02/21/2019 |
02/21/2019 |
Florida IP used in phishing campaign |
UKN |
128.90.108.126 |
IP |
NA |
02/21/2019 |
02/21/2019 |
Florida IP used in phishing campaign |
UKN |
128.90.114.5 |
IP |
NA |
02/21/2019 |
02/21/2019 |
Florida IP used in phishing campaign |
UKN |
128.90.115.28 |
IP |
NA |
02/21/2019 |
02/21/2019 |
Florida IP used in phishing campaign |
UKN |
128.90.115.179 |
IP |
NA |
02/21/2019 |
02/21/2019 |
Florida IP used in phishing campaign |
UKN |
voluntariosvenezuela[.]com |
URL |
Delivery |
02/15/2019 |
02/15/2019 |
Phishing URL |
UKN |
diangovcomuiscia[.]com |
URL |
Delivery |
02/21/2019 |
02/21/2019 |
Phishing URL |
UKN |
About Wapack Labs
Wapack Labs, located in New Boston, NH, is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual corporations. For questions or comments regarding this report, please contact the lab directly by at 1-844-492-7225, or feedback@wapacklabs.com
[1] RAR is a Russian based proprietary archive file format that supports data compression, error recovery and file spanning.
[2] https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/
[3] https://www.cyberscoop.com/apt-c-36-blind-eagle-colombia/
[4] https://motherboard.vice.com/en_us/article/d3mdxm/venezuela-government-hack-activists-phishing
Comments