A financially motivated threat actor group tracked as Blind Eagle has resurfaced with a refined toolset and an elaborate infection chain as part of its attacks targeting organizations in Colombia and Ecuador. Cyber threat investigators offer new insights into the Spanish-speaking group's tactics and techniques, including the use of sophisticated tools and government-themed lures to activate the kill chain.
The group also tracked under the name APT-C-36, Blind Eagle is notable for its narrow geographical focus and launching indiscriminate attacks against South American nations since at least 2018. Blind Eagle's operations have been documented by Trend Micro in September 2021, when it described a spear-phishing campaign primarily aimed at Colombian entities that's designed to deliver a commodity malware known as BitRAT, with a lesser focus towards targets in Ecuador, Spain, and Panama.
Attack chains commence with phishing emails containing a booby-trapped link that, when clicked, leads to the deployment of an open source Trojan named Quasar RAT with the ultimate goal of gaining access to the victim's bank accounts. Quasar RAT is a .NET framework open-source remote access trojan family used in cyber-criminal and cyber-espionage campaigns to target Windows operating system devices. It is often delivered via malicious attachments in phishing and spear-phishing emails.
Some of targeted banks consists of Banco AV Villas, Banco Caja Social, Banco de Bogotá, Banco Popular, Bancoomeva, BBVA, Colpatria, Davivienda, and TransUnion. Should the email recipient be located outside of Colombia, the attack sequence is aborted and the victim is redirected to the official website of the Colombian border control agency, Migración Colombia.
A related campaign singling out both Colombia and Ecuador masquerades as the latter's Internal Revenue Service (SRI) and makes use of a similar geo-blocking technology to filter out requests originating from other countries. This attack, rather than dropping a RAT malware, employs a more complex multi-stage process that abuses the legitimate mshta.exe binary to execute VBScript embedded inside an HTML file to ultimately download two Python scripts.
The first of the two, ByAV2.py, is an in-memory loader engineered to run a Meterpreter payload in DLL format. mp.py is also a Meterpreter artifact, only it's programmed in Python, indicating that the threat actor could be using one of them as a redundant method to retain backdoor access to the host. Meterpreter is a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code. Meterpreter is deployed using in-memory DLL injection. As a result, Meterpreter resides entirely in memory and writes nothing to disk. No new processes are created as Meterpreter injects itself into the compromised process, from which it can migrate to other running processes. As a result, the forensic footprint of an attack is very limited. Meterpreter was designed to circumvent the drawbacks of using specific payloads, while enabling the writing of commands and ensuring encrypted communication. The disadvantage of using specific payloads is that alarms may be triggered when a new process starts in the target system.
Metepreter was originally written for Metasploit 2.x by Skape, a hacker moniker used by Matt Miller. Common extensions were merged for 3.x and is currently undergoing an overhaul for Metasploit 3.3. "Blind Eagle is a strange bird among APT groups," the researchers concluded. "Judging by its toolset and usual operations, it is clearly more interested in cybercrime and monetary gain than in espionage.” The development comes days after Qualys disclosed that an unknown adversary is leveraging personal information stolen from a Colombian cooperative bank to craft phishing emails that result in the deployment of BitRAT.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
source: https://thehackernews.com/2023/01/blind-eagle-hackers-return-with-refined.html
Comments