Security experts in the field of cyber defense have pointed out a significant threat group known as Blind Eagle. This group has attacked various organizations and people across countries in Latin America, such as Colombia, Ecuador, Chile, and Panama. Their assaults target many different areas, including government bodies, banks, and power companies.
Kaspersky’s report states, “Blind Eagle shows a noteworthy ability to adjust its attack goals. It shifts between attacks focused on financial gain & those involving espionage.” This suspected Spanish-speaking group also called APT-C-36, has been operating since at least 2018. They’re known to use spear-phishing methods to spread several available remote access trojans. These include AsyncRAT, BitRAT, Lime RAT, NjRAT, Quasar RAT, & Remcos RAT.
These phishing emails include PDF or Microsoft Word attachments with the same URL. They sometimes add extra details to make the message seem urgent and real. At first, these links take users to the website that the attackers control. But they do this after checking if the victim is from one of their target countries. If not, they send them to the real website of the company they’re pretending to be.
Kaspersky stated, “This geographic redirection stops new malicious sites from getting flagged and makes it harder to hunt down and examine these attacks,”. The initial dropper comes in a ZIP file with a Visual Basic Script (VBS) that gets more payloads from a set remote server. The servers can be quite different—ranging from image hosting sites to trusted platforms like Discord and GitHub.
The second stage malware gets more complex through techniques like steganography and comes as a DLL or .NET injector. This part then reaches out to another dangerous server to get to the last Trojan stage. Kaspersky said, “The group utilizes process injection methods for executing RATs in the memory space of legitimate processes thereby avoiding detection efforts based on those processes,”.
“Their preferred trick is called process hollowing. It works like this: they start a real process but keep it paused. Then they wipe its memory, put in their own nasty code, and let it run.” Blind Eagle likes to tweak open-source RATs because it lets them change their game plan —whether they want to spy or grab login details for Colombian banks when browser windows match certain titles set in their malware.
On the flip side, they’ve tweaked NjRAT to log keystrokes and take screenshots to collect sensitive info. They’ve also added new bits that allow them to add more plugins from outside servers—to boost what the malware can do.
These changes also affect how they plan their attacks. In June 2024, AsyncRAT spread through another tool called Hijack Loader. This shows how flexible these hackers can be. This shift points to new methods they keep adding to keep their operations going.
“Even though Blind Eagle’s tactics might look simple,” Kaspersky said, “they work well enough to keep the group very busy.” By always spying online and trying to steal financial login details, Blind Eagle stays a big threat in the area.
