APT-C-36 / Blind Eagle and Colombia

Summary

APT-C-36 or Blind Eagle (BE) is an APT group that is believed to originate from South America.  BE has been carrying out attacks against Colombian government institutions, to include the financial sector, petroleum industry and professional manufacturing.  BE has been active since April 2018.  Affected targets include Ecopetrol (Colombian Oil Company), Banco Agrario (State Financial Institution) and IMSA (Colombian Wheel Manufacturer).  It is possible BE is involved in recent geopolitical events supporting pro-Maduro Venezuela.

Figure 1. Email send to Colombian Bank, Banco de Occidente


Attacks on Colombia

To attack the various Colombian institutions, BE sends out emails containing phishing URL’s as well as downloadable .rar files.[1] One example of a phishing URL is “diangovcomuiscia[.]com” which is made to look like “muiscia.dian.gov[.]co”.  The .rar files sent are usually password protected and encrypted with the password to access the files located within the email body.

Figure 2. Email body with the password for the .rar file

The senders of this email use proxies and VPN’s to hide their original IP, so it is not currently found.  However, the IP’s they do use are all based out of the US, Florida (Found in Indicators Table).[2]  The most recent attack came on 14 February 2019, which targeted the Columbias National Institude for the Blind and appeared to be sent from the Columbia National Civil Registry.[3]  BE is suing Spanish language coding.

Involvement in Venezuela

Blind Eagle is also believed to be behind phishing attempts in Venezuela.  BE is trying to hack the accounts of pro-Juan Guaido activists who oppose Nicholas Maduro.  The attackers are using a phishing domain to trick users for their credentials.  

The phishing site, voluntariosvenezuela[.]com which is based off the real Pro-Guaido site voluntariosxvenezuela[.]com, is being used to try and rally the activism.  Users trying to go to the real site are redirected to the phishing site by the state-controlled media outlet - ISP CANTV,[4] which remains pro-Maduro.

Conclusion

Blind Eagle is an effective hacking group specializing in phishing emails, primarily attacking Colombia and active in supporting the Maduro regime in Venezuela.  This APT group is believed to be South American based, due to the Spanish coded malware.  Until the source IP is discovered, analysts cannot rule out outside attribution through countries who remain sympathetic to Maduro.  Due to Blind Eagle actively attacking Colombia, which is opposing the Maduro regime, and conducting pro-Maduro hacking activities, the group may be inside Venezuela or in a country who continues to support N. Maduro (Cuba, Russia, China, Iran, Turkey, South Africa – South American counties: Bolivia, Nicaragua, El Salvador and Suriname). 

Indicators:

Indicator

Type

Kill_Chain_Phase

First_Seen

Last_Seen

Comments

Attribution

128.90.106.22

IP

NA

02/21/2019

02/21/2019

Florida IP used in phishing campaign

UKN

128.90.107.21

IP

NA

02/21/2019

02/21/2019

Florida IP used in phishing campaign

UKN

128.90.107.189

IP

NA

02/21/2019

02/21/2019

Florida IP used in phishing campaign

UKN

128.90.107.236

IP

NA

02/21/2019

02/21/2019

Florida IP used in phishing campaign

UKN

128.90.108.126

IP

NA

02/21/2019

02/21/2019

Florida IP used in phishing campaign

UKN

128.90.114.5

IP

NA

02/21/2019

02/21/2019

Florida IP used in phishing campaign

UKN

128.90.115.28

IP

NA

02/21/2019

02/21/2019

Florida IP used in phishing campaign

UKN

128.90.115.179

IP

NA

02/21/2019

02/21/2019

Florida IP used in phishing campaign

UKN

voluntariosvenezuela[.]com

URL

Delivery

02/15/2019

02/15/2019

Phishing URL

UKN

diangovcomuiscia[.]com

URL

Delivery

02/21/2019

02/21/2019

Phishing URL

UKN

 

About Wapack Labs

Wapack Labs, located in New Boston, NH, is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual corporations.  For questions or comments regarding this report, please contact the lab directly by at 1-844-492-7225, or feedback@wapacklabs.com

[1] RAR is a Russian based proprietary archive file format that supports data compression, error recovery and file spanning.

[2] https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/

[3] https://www.cyberscoop.com/apt-c-36-blind-eagle-colombia/

[4] https://motherboard.vice.com/en_us/article/d3mdxm/venezuela-government-hack-activists-phishing

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!