On Feb. 20, the BlackBerry Research & Intelligence team witnessed a new spear-phishing campaign where the threat group APT-C-36, also known as Blind Eagle, impersonated a Colombian government tax agency to gain access to the target’s machines. The scam targeted key industries in Colombia, including health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in the country.
Blind Eagle is a South American espionage group that has been actively targeting Latin America-based entities since at least 2019. The group relies on spear-phishing emails sent to specific and strategic companies to conduct its campaigns. The initial infection vector is typically a PDF attachment sent by email.
APT-C-36's targets include health, public, financial, judiciary, and law enforcement entities in Colombia. Among the countries where we have seen Blind Eagle activity in the last few months, specifically distributing the UUE file types with different themes, they include Colombia, Ecuador, Chile, and Spain.
This is consistent with the use of the Spanish language in the group’s spear-phishing emails. Most countries in South America use Spanish (apart from Brazil), which matches the threat actor’s locale and the ‘Sender’ names used in the bait document.
In the campaign uncovered by BlackBerry, Blind Eagle sent targeted phishing emails to the official email address listed on the “Contact Us” page of the Bogotá Chamber of Commerce website. Bogotá is the capital of Colombia.
The email's subject line reads, "Obligaciones pendientes - DIAN N.2023-6980070- 39898001". DIAN is Colombia’s Directorate of National Taxes and Customs - the Dirección de Impuestos y Aduanas Nacionales (DIAN). APT-C-36 has regularly used DIAN in their spear-phishing lures over the years. In English, the Subject line means “outstanding obligations,” a lure craftily designed to catch the attention of unsuspecting law-abiding recipients.
The phishing lure states that the recipient is “45 days in arrears” on a tax payment and tells the target to click a link to view their invoice, which comes in the form of a password-protected PDF.
The URL contained in the bait document masquerades as the actual domain of DIAN, which is dian.gov.co/. However, the hyperlink craftily redirects the target to dian.server[.]tl., a completely different and malicious domain created by the threat actor. Blind Eagle carefully crafted this fake webpage to deceive the victim into believing they are interacting with the real DIAN.
The fake DIAN webpage contains a ‘download’ button the victim is encouraged to click in order to download a PDF to view what the site claims to be an overdue tax invoice. Instead, clicking the button initiates the download of a malicious file from the Discord content delivery network (CDN), which the attackers are abusing in this phishing scam.
The final goal of all of this is to load AsyncRAT into memory, which is downloaded from Discord onto the user’s machine. AsyncRAT is one of the most popular open-source remote access trojans (RATs) on the threat landscape today.
A RAT installed on a victim’s machine enables the threat actor to connect to the infected endpoint at any time they like, and to perform any operations they desire. Malicious RATs serve to provide persistent remote access to the victims’ machines. Blind Eagle mainly uses AsyncRAT, njRAT, QuasarRAT, LimeRAT, and RemcosRAT in its campaigns.
Finally, the victim’s machine starts communicating with a DuckDNS server to receive and execute commands, exfiltrate information, and perform any other action desired by the threat actor.
APT-C-36 continues to concentrate its operations within a Hispanic geographic region, with its main targets being government institutions and other organizations primarily based in Colombia.
The use of specific tools and artifacts, along with the type and configuration of the network infrastructure documented in this report, combined with the tactics, techniques and procedures (TTPs) used to deploy them, all closely align with previously attributed campaigns by this group.
That, coupled with the geolocation and nature of the targets seen in this campaign, leads us to ascertain, at the very least, a moderate level of confidence that this campaign was conducted by APT-C-36.
This campaign continues to operate for the apparent purposes of information theft and espionage. The modus operandi used has mostly stayed the same as Blind Eagle’s previous efforts – it is very simple, which may mean that this group is comfortable with its way of launching campaigns via spear-phishing emails and feels confident in using them because they continue to work.
Over the next few months, we will likely continue to see new targets for this group, using new ways to deceive their victims.
Read the full technical report on this Blind Eagle campaign, including MITRE ATT&CK® information, attack flow, and applied countermeasures including Yara Rules, by clicking here.
Related Reading
