A South American cyberespionage group has been observed impersonating a Colombian government tax agency in recent attacks against key industries in the country, BlackBerry reports.
Tracked as APT-C-36 and Blind Eagle, the threat actor has been active since at least 2019, mainly focused on organizations in Colombia and Ecuador, but also targeting entities in Chile and Spain.
As part of a new campaign in late February, Blind Eagle was seen targeting Colombian organizations in the financial, health, immigration and law enforcement sectors, and a peace negotiation agency in the country.
The attack vector was a spear-phishing email with a PDF attachment, which uses the official email address of the Bogota Chamber of Commerce. To evade spam filters, the attackers used the ‘Bcc’ (Blind Carbon Copy) field instead of the ‘To’ field in their emails.
The message informs the recipient of alleged ‘outstanding obligations’, claiming they are behind with a tax payment and encouraging them to click on a link in the invoice, which is attached to the email as a password-protected PDF.
The link masquerades as the official URL for the website of Colombia’s Directorate of National Taxes and Customs, but instead redirects to a bogus website where the victim is encouraged to view another PDF, which initiates the download of a file from the Discord content delivery network (CDN).
Delivered in the form of a RAR archive, the file contains a VBS script that executes PowerShell code to ultimately infect the victim’s device with the AsyncRAT remote access trojan (RAT). Blind Eagle was also seen using njRAT, LimeRAT, QuasarRAT, and RemcosRAT in its attacks.
The threat actor uses Dynamic DNS (DDNS) services to connect their RATs to the command-and-control (C&C) infrastructure.
Previously seen attacks employed similar tactics, techniques & procedures (TTPs), with Blind Eagle impersonating other Colombian government branches and relying on password-protected ZIP or RAR archives to infect the intended victim with QuasarRAT.
“This campaign continues to operate for the purposes of information theft and espionage. The modus operandi used has mostly stayed the same as the group’s previous efforts – it is very simple, which may mean that this group is comfortable with its way of launching campaigns via phishing emails, and feels confident in using them because they continue to work,” BlackBerry concludes.
Related: Hackers Can Exploit GE Historian Vulnerabilities for ICS Espionage, Disruption
Related: Chinese Cyberspies Target Telecom Companies in America, Asia, Europe
Related: Enterprises in Americas, Europe Targeted With Valak Information Stealer