A South American cyberespionage group has delivered malware to over 1,600 victims in Colombia in a recent campaign, Check Point reports.
Tracked as Blind Eagle and APT-C-36, and active since 2018, the advanced persistent threat (APT) actor is known for targeting government, financial, and critical infrastructure organizations in Colombia and Ecuador.
The threat actor mainly relies on phishing emails containing malicious attachments or URLs to deliver remote access trojans (RATs) such as NjRAT, AsyncRAT, and Remcos, and recently expanded its arsenal with additional commodity malware, including a variant of PureCrypter.
In December 2024, the threat actor was seen targeting CVE-2024-43451, an NTLM vulnerability that Microsoft patched in November 2024, after a suspected Russian threat actor had exploited it as a zero-day in attacks against Ukrainian entities.
The security defect can be triggered by simple user interactions with the URL file containing the malicious code, such as a right-click, drag-and-drop, or deletion operation. Successful exploitation could lead to an attacker retrieving a user’s NTLMv2 hash.
According to Check Point, roughly six days after Microsoft announced patches for CVE-2024-43451, Blind Eagle expanded its arsenal with a variant of the exploit for this vulnerability.
“While this variant does not actually expose the NTLMv2 hash, it notifies the threat actors that the file was downloaded by the same unusual user-file interactions. On devices vulnerable to CVE-2024-43451, a WebDAV request is triggered even before the user manually interacts with the file with the same unusual behavior,” Check Point explains.
Clicking on the malicious URL file, even on patched systems, triggers the download and execution of the next-stage payload, the cybersecurity firm notes.
Blind Eagle used the exploit in attacks against numerous public and private organizations in Colombia and infected more than 1,600 with its malware.
Over a period of two months, the threat actor changed more than 10 command-and-control (C&C) servers as part of these attacks, and in late January was seen distributing the malicious URL files using potentially compromised Google Drive accounts.
The infection chain included the in-memory execution of a variant of PureCrypter, which harvested system and user information and downloaded the Remcos RAT from a GitHub repository. In December, two Bitbucket repositories were used to host the RAT.
“Blind Eagle remains one of the most active and dangerous threat actors in Latin America, with a particular focus on Colombia’s public and private sectors. The group’s scale and persistence are evident, with over 1,600 infections recorded from a single campaign,” Check Point notes.
Related: New Windows Zero-Day Exploited by Chinese APT: Security Firm
Related: Spy v Spy: Russian APT Turla Caught Stealing From Pakistani APT
Related: Russian APT Chained Firefox and Windows Zero-Days Against US and European Targets
Related: North Korean APT Exploited IE Zero-Day in Supply Chain Attack