Blind Eagle [1] [3], also known as APT-C-36 [2] [3], is a persistent threat actor targeting entities and individuals in Latin American nations since at least 2018 [3].

Description

The group demonstrates adaptability in operational goals [2], switching between intelligence gathering and monetary gain [2]. Blind Eagle primarily targets Colombia and employs spear-phishing lures [2], DLL sideloading [1] [2], and modular malware loaders to distribute remote access trojans like AsyncRAT, BitRAT [3], Lime RAT [3], NjRAT [3], Quasar RAT [3], and Remcos RAT [3]. The group uses process injection techniques to execute the trojans in the memory of legitimate processes [3], evading detection [3]. Blind Eagle leverages social engineering, public infrastructure [2], and basic obfuscation techniques for efficient distribution and execution of malicious payloads [2]. Modified versions of open-source RATs give Blind Eagle flexibility to modify campaigns for cyber espionage or financial credential theft [3]. The group remains a significant threat in the region due to its adaptability and effectiveness in executing cyber espionage and financial credential theft campaigns [3], introducing new tactics [2], techniques [1] [2] [3], and procedures such as Portuguese-language artifacts and HijackLoader [2]. In their latest espionage campaign targeting individuals and organizations from Colombia [1], Blind Eagle introduced updates including a new espionage plugin and the use of legitimate Brazilian file-hosting sites during the infection process [1]. The group is increasingly leaving artifacts in Portuguese in their malicious code [1], whereas previously [1], they predominantly used Spanish [1]. Additionally, Blind Eagle launched a separate campaign that employs the DLL sideloading technique [1], which is uncharacteristic of the actor.

Conclusion

Blind Eagle’s adaptability and effectiveness in executing cyber espionage and financial credential theft campaigns pose a significant threat in the region. Mitigations should focus on enhancing cybersecurity measures and awareness to counter the group’s tactics. Future implications include the need for continued monitoring and adaptation to combat evolving threats from Blind Eagle.

References

[1] https://www.kaspersky.com/about/press-releases/2024_kaspersky-identifies-blindeagles-new-spy-plugin
[2] https://cyberpress.org/new-apt-group-blindeagle-strikes-organizations/
[3] https://thehackernews.com/2024/08/blind-eagle-hackers-exploit-spear.html