Full Report
The threat actor known as Blind Eagle has been attributed with high confidence to the use of the Russian bulletproof hosting service Proton66. Trustwave SpiderLabs, in a report published last week, said it was able to make this connection by pivoting from Proton66-linked digital assets, leading to the discovery of an active threat cluster that leverages Visual Basic Script (VBS) files as its
Analysis Summary
# Threat Actor: Blind Eagle
## Attribution & Identity
* **Primary Name:** Blind Eagle
* **Aliases/Associated Groups:** AguilaCiega, APT-C-36, APT-Q-98
* **Association:** Attributed with high confidence to using infrastructure provided by the Russian bulletproof hosting service Proton66.
## Activity Summary
Blind Eagle is actively targeting entities in South America, particularly Colombia, using a multi-stage attack starting with phishing and deploying Remote Access Trojans (RATs). The operations utilize domains resolving to infrastructure hosted on Proton66 and leverage DDNS services (like DuckDNS) to complicate detection through subdomain rotation. The current described campaign centers on hosting phishing pages and initial access scripts on Proton66-linked infrastructure.
## Tactics, Techniques & Procedures
* **Initial Access:** Use of Visual Basic Script (VBS) files as the initial attack vector/loader.
* **Phishing:** Deployment of deceptive websites mimicking legitimate Colombian banks to harvest user credentials.
* **Evasion/Obfuscation:** Overlaps found in VBS code analysis suggest the use of Vbs-Crypter, associated with the "Crypters and Tools" service, to obfuscate and pack payloads to avoid detection.
* **Payload Delivery:** VBS scripts act as loaders, retrieving encrypted executable files from remote servers for second-stage deployment.
* **Command and Control (C2):** Utilizing dynamic DNS (DDNS) services (e.g., DuckDNS) to host malicious content, rotating subdomains tied to a single IP address to maintain persistence and hinder tracking.
## Targeting
* **Sectors:** Financial institutions/Banks.
* **Geography:** South America, specifically Colombia and Ecuador.
* **Victims:** Colombian banks, including Bancolombia, BBVA, Banco Caja Social, and Davivienda.
## Tools & Infrastructure
* **Malware Families Used:** Off-the-shelf Remote Access Trojans (RATs), specifically mentioned examples include AsyncRAT and Remcos RAT.
* **Infrastructure (C2, domains, IPs):**
* **Hosting Service:** Proton66 (Russian bulletproof hosting).
* **DDNS Usage:** DuckDNS (e.g., domains like `gfast.duckdns[.]org`, `njfast.duckdns[.]org`).
* **Observed IP:** 45.135.232[.]38 (associated with Proton66).
* **Other Tools:** Vbs-Crypter for obfuscation.
## Implications
Blind Eagle maintains a high operational tempo by leveraging bulletproof hosting services like Proton66, which ignore abuse reports, allowing them to operate C2s and phishing sites continuously. Their focus on financial institutions in Colombia suggests a financially motivated objective or espionage tailored to regional economic interests. The use of commodity RATs bundled with social engineering via phishing makes the threat accessible and effective against less technically savvy users within target organizations.
## Mitigations
* Implement enhanced web filtering and network monitoring to detect connections to known Proton66 IP ranges or suspicious DuckDNS domains.
* Strongly enforce multi-factor authentication (MFA) to mitigate credential harvesting via phishing sites.
* Audit security awareness training, specifically focusing on recognizing highly customized phishing lures targeting local financial institutions.
* Implement application whitelisting or advanced endpoint detection and response (EDR) capable of monitoring and blocking execution of legacy scripting languages like VBScript, especially when used to download executables.
* Monitor for the characteristic behavior of known RATs like AsyncRAT and Remcos RAT on the network.