Skip to main content

The BlindEagle group, known since 2018, has recently advanced its spying methods. Rotating among different open-source remote access trojans (RATs), the threat actor has chosen njRAT as their core tool in one of the latest campaigns in May 2024. This malware enables keylogging, webcam access, theft of machine details, screenshot capture, application monitoring and other spying activities, but it has been updated with additional attack capabilities: the trojan now supports a special plugin extension that allows the execution of binaries and .NET files. The potential scope of this plugin includes executing additional espionage modules and collecting more sensitive information.

The actual impact of this update is yet to be seen. Threat actors may target a wide range of sensitive information. In past campaigns, the group has used modules to filter the victim’s location, obtain detailed system information, such as installed applications, disable antivirus software, and inject malicious payloads like Meterpreter,” explains Leandro Cuozzo, Security Researcher at Kaspersky Global Research and Analysis Team (GReAT).

New infection process and a growing trend of using Portuguese in malicious code

To deliver the malware and new plugin, attackers first infect the system using spear phishing. They send emails impersonating a government entity, notifying victims of a fake traffic fine. The email includes a malicious attachment that appears to be a PDF but is actually a malicious Visual Basic Script (VBS) which drops spying malware onto the victim’s machine in a series of actions.

In this campaign, Kaspersky researchers observed that the dropper increasingly contains artifacts in the Portuguese language, particularly in variables, function names, and comments.

There is a growing trend for BlindEagle to use Portuguese, suggesting that the group is possibly collaborating with external threat actors. Previously, Spanish was predominant in their artifacts, but in last year’s campaigns, the group started to use some functions and variable names in Portuguese increasingly. In this campaign, Portuguese is used extensively. Besides using Portuguese, the group has started using Brazilian domains for multi-stage malware loading, supporting the theory that they may be working with someone outside the ‘team’,” elaborates Leandro Cuozzo.

The group used a Brazilian image hosting site to drop the malicious code onto the victims’ machines. Previously, they utilized services like Discord or Google Drive. The malicious script executes a command to download images from the newly-employed image hosting site, containing malicious code that is extracted and executed on the victim’s computer.

One of the images with obfuscated code downloaded into victims’ machines

One of the images with obfuscated code downloaded into victims’ machines

In today’s rapidly evolving digital landscape, the prevalence of sophisticated cyber-espionage campaigns underscores the critical need for organizations and individuals to remain ever vigilant and fortified against emerging threats,” says Leandro Cuozzo. “The continuous evolution of malicious tactics demands a proactive approach to cybersecurity. This includes leveraging robust threat intelligence and cutting-edge detection technologies as well as fostering a culture of cyber-awareness and resilience”.

Kaspersky also witnessed BlindEagle launching a separate campaign in June 2024, employing the DLL sideloading technique – a method used to execute malicious code via Windows’ Dynamic Link Libraries (DLLs), which is uncharacteristic for the threat actor. As an initial vector, the group sent purported “documents” that were actually malicious PDF or DOCX files, and tricked victims into clicking on embedded links to download fictitious lawsuit documents. These documents were ZIP files containing an executable that initiated infection through sideloading, along with various malicious files used in the attack chain. The threat actors chose a version of AsyncRAT used previously in several campaigns.

BlindEagle (a.k.a. APT-C-36) is an APT group known for its simple yet effective attack techniques and methods. The group is known for their persistent campaigns aimed at organizations and individuals in Colombia, Ecuador and other countries in Latin America. They have been targeting entities from multiple sectors, including governmental institutions, energy and oil-and-gas organizations, financial companies, among others. Known for rotating its use of different open-source RATs, such as njRAT, Lime-RAT, or BitRAT, the group’s main purpose is to spy on victims and steal financial information. It demonstrates adaptability in shaping the objectives of its’ cyberattacks and has shown the versatility to move between purely financial attacks and espionage operations. 

In espionage campaigns conducted in May and June, 87 percent of the targeted individuals and organizations were in Colombia, particularly from the government, education, health, and transportation sectors, though not limited to these.

Read more on Securelist. For a deeper immersion in the ever-evolving world of cyber threats and insightful networking, join Kaspersky’s Security Analyst Summit (SAS), which will take place for the sixteenth time from October 22-25, 2024, in Bali.

To remain protected from the threat, researchers recommend following these rules:

  • It's important for everyone, especially those who may be targets of espionage, to stay alert. Threat actors disguise themselves as government agencies, but those entities typically don’t reach out to individuals by email for legal notifications. The same goes for banks and financial institutions, which frequently serve as a guise for threat actors to lure victims into clicking malicious content. Upon receiving such a request, always double-check its legitimacy. Stay safe by being cautious and verifying the authenticity of any unexpected emails.
  • Messages from official organizations, such as banks, tax agencies, online shops, travel agencies, airlines, and so on, also require scrutiny; even internal messages from your own office. It’s not that difficult to fabricate a fake letter that looks legitimate.
  • Install a trusted security solution and follow its recommendations. Then, secure solutions will solve most problems automatically and alert you if needed.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Kaspersky identifies BlindEagle’s new spy plugin

The BlindEagle APT (Advanced Persistent Threat) group has introduced several updates in one of their latest espionage campaigns targeting individuals and organizations from Colombia, the Kaspersky Global Research and Analysis team (GReAT) has reported. The updates include a new espionage plugin and the use of legitimate Brazilian file-hosting sites during the infection process. The group is increasingly leaving artifacts in Portuguese in their malicious code, whereas previously, they predominantly used Spanish. Kaspersky also observed BlindEagle launching a separate campaign that employs the DLL sideloading technique, uncharacteristic of the actor.
Kaspersky Logo