Blind Eagle APT Hunts Banking Victims in Colombia, EcuadorHacking Group Returns With Updated Tools and Infection Chain
Hacking group Blind Eagle returned from its hiatus and is conducting an ongoing campaign directed at Spanish-speaking targets in Colombia and Ecuador.
The advanced persistent threat actor's end goal is to intercept and gain access to victims' bank accounts, for which an updated open-source Trojan named QuasarRAT is being deployed, cybersecurity firm Check Point says.
The list of banks and other entities targeted in this campaign includes: Banco AV Villas, Banco Caja Social, Banco de Bogotá, Banco Popular, Bancoomeva, BBVA Net Cash, Colpatria, Davivienda and TransUnion.
Trend Micro in September 2021 revealed the modus operandi of Blind Eagle, which is primarily focused on attacking Colombian government entities.
Based on Trend Micro's report, the APT is traditionally known to leverage publicly available remote access tools and Trojans such as njRAT, imminent monitor, ProyectoRAT, Warzone RAT, Async RAT, Lime RAT, Remcos RAT and BitRAT. Over time, the APT switches from one RAT to another. Continuing that trend, Blind Eagle is now using a modified version of the QuasarRAT, Check Point researchers say.
The attack begins with phishing emails containing a booby-trapped link that deploys a Trojan named Quasar RAT.
The APT used a geo-filter server in one campaign that redirects requests made from outside of Ecuador and Colombia to the website of the Ecuadorian Internal Revenue Service, suggesting the APT's targeting focus.
The campaign not only drops a RAT but also employs a more complex infection chain. It abuses the legitimate
mshta.exe binary to execute VBScript embedded in an HTML file to ultimately download two Python scripts, which adds a new stage in the infection chain.
The first of the two,
ByAV2.py, is an in-memory loader that runs a Meterpreter payload in DLL format.
Mp.py is another sample of Meterpreter entirely written in Python. The purpose of the two scripts may be that if one of the samples gets detected by an antivirus solution and removed, the other can still be executed, the researchers say.
"For the last few months, we have been observing the ongoing campaigns orchestrated by Blind Eagle, which have mostly adhered to the TTPs described above," the researchers say. This includes phishing emails purporting to be from the Colombian Ministry of Foreign Affairs that threaten the recipient with issues related to leaving the country without settling bureaucratic matters.
The malicious scripts of Blind Eagle APT enable the threat actor to maintain a persistent backdoor in the victims' systems. But "judging by its tool set and usual operations, it is clearly more interested in cybercrime and monetary gain than in espionage," the researchers say.