The BlindEagle APT (Advanced Persistent Threat) group has introduced several updates in one of their latest espionage campaigns targeting individuals and organizations from Colombia, the Kaspersky Global Research and Analysis team (GReAT) has reported. The updates include a new espionage plugin and the use of legitimate Brazilian file-hosting sites during the infection process. The group is increasingly leaving artifacts in Portuguese in their malicious code, whereas previously, they predominantly used Spanish. Kaspersky also observed BlindEagle launching a separate campaign that employs the DLL sideloading technique, uncharacteristic of the actor.
The BlindEagle group, known since 2018, has recently advanced its spying methods. Rotating among different open-source remote access trojans (RATs), the threat actor has chosen njRAT as their core tool in one of the latest campaigns in May 2024. This malware enables keylogging, webcam access, theft of machine details, screenshot capture, application monitoring and other spying activities, but it has been updated with additional attack capabilities: the trojan now supports a special plugin extension that allows the execution of binaries and .NET files. The potential scope of this plugin includes executing additional espionage modules and collecting more sensitive information.
“The actual impact of this update is yet to be seen. Threat actors may target a wide range of sensitive information. In past campaigns, the group has used modules to filter the victim’s location, obtain detailed system information, such as installed applications, disable antivirus software, and inject malicious payloads like Meterpreter,” explains Leandro Cuozzo, Security Researcher at Kaspersky Global Research and Analysis Team (GReAT).
New infection process and a growing trend of using Portuguese in malicious code
To deliver the malware and new plugin, attackers first infect the system using spear phishing. They send emails impersonating a government entity, notifying victims of a fake traffic fine. The email includes a malicious attachment that appears to be a PDF but is actually a malicious Visual Basic Script (VBS) which drops spying malware onto the victim’s machine in a series of actions.
In this campaign, Kaspersky researchers observed that the dropper increasingly contains artifacts in the Portuguese language, particularly in variables, function names, and comments.
“There is a growing trend for BlindEagle to use Portuguese, suggesting that the group is possibly collaborating with external threat actors. Previously, Spanish was predominant in their artifacts, but in last year’s campaigns, the group started to use some functions and variable names in Portuguese increasingly. In this campaign, Portuguese is used extensively. Besides using Portuguese, the group has started using Brazilian domains for multi-stage malware loading, supporting the theory that they may be working with someone outside the ‘team’,” elaborates Leandro Cuozzo.
The group used a Brazilian image hosting site to drop the malicious code onto the victims’ machines. Previously, they utilized services like Discord or Google Drive. The malicious script executes a command to download images from the newly-employed image hosting site, containing malicious code that is extracted and executed on the victim’s computer.
One of the images with obfuscated code downloaded into victims’ machines
“In today’s rapidly evolving digital landscape, the prevalence of sophisticated cyber-espionage campaigns underscores the critical need for organizations and individuals to remain ever vigilant and fortified against emerging threats,” says Leandro Cuozzo. “The continuous evolution of malicious tactics demands a proactive approach to cybersecurity. This includes leveraging robust threat intelligence and cutting-edge detection technologies as well as fostering a culture of cyber-awareness and resilience”.
Kaspersky also witnessed BlindEagle launching a separate campaign in June 2024, employing the DLL sideloading technique – a method used to execute malicious code via Windows’ Dynamic Link Libraries (DLLs), which is uncharacteristic for the threat actor. As an initial vector, the group sent purported “documents” that were actually malicious PDF or DOCX files, and tricked victims into clicking on embedded links to download fictitious lawsuit documents. These documents were ZIP files containing an executable that initiated infection through sideloading, along with various malicious files used in the attack chain. The threat actors chose a version of AsyncRAT used previously in several campaigns.
BlindEagle (a.k.a. APT-C-36) is an APT group known for its simple yet effective attack techniques and methods. The group is known for their persistent campaigns aimed at organizations and individuals in Colombia, Ecuador and other countries in Latin America. They have been targeting entities from multiple sectors, including governmental institutions, energy and oil-and-gas organizations, financial companies, among others. Known for rotating its use of different open-source RATs, such as njRAT, Lime-RAT, or BitRAT, the group’s main purpose is to spy on victims and steal financial information. It demonstrates adaptability in shaping the objectives of its’ cyberattacks and has shown the versatility to move between purely financial attacks and espionage operations.
In espionage campaigns conducted in May and June, 87 percent of the targeted individuals and organizations were in Colombia, particularly from the government, education, health, and transportation sectors, though not limited to these.
