The hacking group known as Blind Eagle, also called APT-C-36, has been discovered conducting a new phishing campaign against a range of key industries in Colombia. The campaign also included Ecuador, Chile, and Spain. The targeted entities include health, financial, law enforcement, immigration, and an agency in charge of peace negotiations in Colombia.
The phishing emails impersonate the Colombian government tax agency and urge recipients to settle outstanding obligations, using links that lead to PDF files that are actually malware.
The spear-phishing emails include a link to a malicious file hosted on the Discord content delivery network (CDN). When the target clicks on the blue button, a Visual Basic Script (VBS) is executed, retrieving a .NET-based DLL file that then loads AsyncRAT into memory.
This then allows Blind Eagle to connect to the infected endpoint whenever it wants and perform operations as desired. The threat actor is also using dynamic DNS services like DuckDNS to remotely commandeer the compromised hosts.
BlackBerry researchers suggest that Blind Eagle is comfortable with its methods, which continue to work, given that the modus operandi has remained the same as in previous campaigns.
The researchers believe that the hacking group is Spanish-speaking, given the use of the language in the spear-phishing emails. However, it is unclear whether the motive behind the attacks is espionage or financial gain, and the location of the threat actor is also unknown.
BlackBerry warns that organizations must remain vigilant in protecting themselves from such attacks, including using multi-factor authentication, keeping software up to date, and conducting regular security awareness training for employees to prevent spear-phishing attacks.
