Threat actor group Blind Eagle’s new attack campaign targets Colombian corporations

• Blind Eagle’s attack campaign is targeting Colombian government agencies, financial institutions, and multinational corporations in Colombia.
• The threat actor group targets Colombian organizations with phishing emails purported to be from Colombian national institutions such as the National Directorate of Taxes and Customs, and the National Administrative Department of Statistics, among others.

Blind Eagle threat actor group is targeting Colombian government agencies, financial institutions, multinational corporation branches in Colombia, and other Colombian corporations in the petroleum industry, professional manufacturing, etc with a new attack campaign.

Spearphishing emails

The threat group targets Colombian organizations with spear-phishing emails that contain password protected RAR attachments. The phishing emails purported to be from Colombian National Institutions such as the National Directorate of Taxes and Customs, the National Administrative Department of Statistics, the Colombian National Cyber Police, the Office of the Attorney General, the Colombia Migration, and the Colombian National Civil Registry.

All the malicious document attachments in the phishing emails were MHTML ones with malicious macros embedded and the .doc suffix to bypass detection

“Attackers like to use spear-phishing email with password protected RAR attachment to avoid being detected by the email gateway. Decryption password is provided in the mail body and inside the attachment, it is an MHTML macro based document with the .doc suffix. Its purpose is to implant Imminent backdoor and gains a foothold into the target network which may make the follow up lateral movement easier to implement,” researchers said.

List of targets and spoofed sources

• Blind Eagle targeted INCI (Colombian National Institute for the blind) with phishing emails purported to be from the Colombian National Civil Registry.
• The threat group targeted Ecopetrol, Hocol, Wheel manufacturer in Colombia (IMSA), and Byington Colombia with phishing emails that appeared to come from the National Directorate of Taxes and Customs.
• The APT group also targeted Almaviva, a logistics company with phishing emails purported to be from the National Administrative Department of Statistics.
• Its target includes Banco Agrario, which was targeted with phishing emails pretending to be from the Colombian National Cyber Police.
• Blind Eagle threat group also targeted ATH Columbia Division and Banco de Occidente with phishing emails that appeared to come from the Office of the Attorney General
• The hacker group targeted Sun Chemical Colombia branch with phishing emails that purported to come from the Colombia Migration.

The latest attack was on February 14, 2019. The attack targeted the Colombian National Institute for the Blind with a phishing email pretending to be from the Colombian National Civil Registry.

29 malicious documents and 62 Trojan samples

360 Threat Intelligence Center closely observed the attack campaign, analyzed all the phishing emails and captured 29 malicious documents, 62 Trojan samples, and multiple malicious domains.

“After analyzing the last modified time of the encrypted documents, character set (locale) of the MHTML files, author names used by attackers, as well as elements like geopolitics in APT attacks, 360 Threat Intelligence Center suspect attackers come from South America and are in the UTC -4 time zone (or adjacent ones),” researchers said.

“After analyzing the mail, we found that the attacker used approaches such as proxy and VPN to hide its IP address when sending emails. So the sender’s real IP has not yet been obtained, only to figure out that these messages are sent through IDCs in Florida, USA,” researchers added.