Kaspersky Finds New Attack Method From BlindEagle APT Group

Illustration of the APT BlindEagle group (photo: Kaspersky)

JAKARTA - The Kasperskyq Global Research and Analysis Team (GReAT) found that the BlindEagle APT (Advanced Persistent Threat) group had introduced several updates in one of its spy campaigns targeting individuals and organizations from Colombia.

The BlindEagle group, known since 2018, has changed its spy method, among open source long-distance access Trojans (RAT), threat actors have chosen njRAT as their core tool in one of the latest campaigns in May 2024.

This malware allows button recording, webcam access, machine details theft, screenshots, app monitoring, and other spy activity.

The real impact of this update is not yet visible. This threat actor can target a variety of sensitive information, "explained Leandro Cu jurisprudence, Security Researcher at Kaspersky Global Research and Analysis Team (GReAT).

To send new malware andevaporation, the attacker first infected the system using spear phishing or sending fake emails to the victim.

The email includes an attachment that looks like a PDF but is actually a malicious Visual Basic Script (VBS) that spreads spy malware (spy) to the victim's computer in a series of actions.

The group used a Brazilian image hosting site to enter malicious codes into victims' computers. Previously, they used services such as Discord or Google Drive.

With this update, Kaspersky also discovered where the group is increasingly leaving artifacts in Portuguese in their malicious code, where previously, they used Spanish more.

The malicious script carries out an order to download images from the newly used image hosting site, containing a malicious code extracted and run on the victim's computer.

Kaspersky also watched BlindEagle launch a separate campaign in June 2024, using DLL sideloading techniques, a method used to execute malicious codes through Windows Dynamic Link Libraries (DLL), which is unusual for threat actors.

As the initial vector, the group sent a "document" which was actually a dangerous PDF or DOCX file, and tricked the victim into clicking on the embedded link to download the fictitious document.

BlindEagle (APT-C-36) is an APT group known for its simple but effective attack techniques and methods, targeting and individuals in Colombia, Ecuador, and other Latin American countries.