Ongoing hacking campaigns orchestrated by the threat actor group Blind Eagle (also known as APT-C-36) have been spotted targeting individuals across South America.
Security experts from Check Point Research (CPR) unveiled the findings in a new advisory published on Thursday, describing a novel infection chain involving an advanced toolset.
“For the last few months, we have been observing the ongoing campaigns orchestrated by Blind Eagle, which have mostly adhered to the [tactics, techniques and procedures] TTPs described above — phishing emails pretending to be from the Colombian government,” the team wrote.
“One typical example is an email purportedly from the Ministry of Foreign Affairs, threatening the recipient with issues when leaving the country unless they settle a bureaucratic matter.”
According to CPR, the malicious emails included a link and a PDF file directing the unfortunate victim to the same link.
The incoming HTTP request is analyzed upon clicking on the link to check whether it originates from outside Colombia.
If it does, the server aborts the infection chain and redirects the client to the real website for the migration department of the Colombian Ministry of Foreign Affairs. If the incoming request arrives from Colombia, however, the infection chain proceeds as scheduled.
“The server responds to the client with a file for download. This is a malware executable hosted on the file-sharing service MediaFire,” CPR explained.
“The file is compressed, similar to a ZIP file, using the LHA algorithm. It is password-protected, making it impervious to naive static analysis and even naive sandbox emulation. The password is found both in the email and in the attached PDF.”
The executable inside the archive is a modified sample of QuasarRAT featuring several new features, including functions to activate and deactivate the system proxy.
Another variant was spotted by CPR targeting Ecuador and impersonating the Ecuadorian Internal Revenue Service.
“This latest campaign targeting Ecuador highlights how, over the last few years, Blind Eagle has matured as a threat — refining their tools, adding features to leaked code bases, and experimenting with elaborate infection chains and ‘Living off the Land,’” reads the CPR advisory.
“If what we’ve seen is any indication, this group is worth keeping an eye on so that victims aren’t blindsided by whatever clever thing they try next.”
The advisory comes weeks after Colombian healthcare provider Keralty reported a ransomware attack in December 2022.