BlindEagle APT-C-36: A Persistent Threat in Latin America

BlindEagle, also known as APT-C-36, has been making waves in Latin America with its sophisticated cyber attack techniques targeting governmental institutions, financial companies, and other organizations. Researchers have identified the group’s recent espionage campaigns in Colombia, where they focused on individuals and organizations, with the majority of victims coming from this region.

During their attacks in Colombia, BlindEagle utilized Portuguese artifacts in their operations, a departure from their usual Spanish artifacts. They also incorporated Brazilian image hosting sites, suggesting potential third-party involvement to enhance their operations. The group’s phishing campaigns in June featured a new modular malware loader called “HijackLoader” and employed tactics like DLL sideloading to infiltrate systems.

The phishing emails sent by BlindEagle mimicked Colombia’s judicial institutions, luring victims with malicious attachments disguised as demand notices or court summons. Once opened, these attachments would download malware onto the victim’s system from attacker-controlled servers. The group also implemented geolocation filtering to redirect non-targeted victims to official websites, making detection and analysis more challenging.

BlindEagle’s adaptability is a key strength, as they utilize various open-source Remote Access Trojans (RATs) like njRAT, LimeRAT, and AsyncRAT, modifying them to suit their needs. They have even repurposed espionage malware for financial attacks, showcasing their flexibility in achieving their objectives.

Overall, BlindEagle’s evolving tactics and willingness to improve their attack methods pose a significant threat to entities and individuals in Latin America. Their use of URL shorteners, public infrastructure, and complex attack chains make them a formidable adversary in the cybersecurity landscape.