Full Report
Trustwave SpiderLabs has assessed with high confidence that the threat group Blind Eagle, aka APT-C-36, is associated with the Russian bulletproof hosting service provider Proton66. Blind Eagle is a threat actor actively targeting organizations across Latin America, with a notable focus on Colombian financial institutions.
Analysis Summary
# Threat Actor: Blind Eagle
## Attribution & Identity
The threat actor is identified as **Blind Eagle**. The analysis traces their activities to specific infrastructure elements, referred to here as "Proton66," though the exact attribution beyond this operational link is not specified in the provided excerpt.
## Activity Summary
The ongoing activity demonstrates a pattern of compromises achieved using unsophisticated threat infrastructures coupled with phishing lures tailored for specific regional targets. Colombian financial institutions remain a primary focus, but the overall pattern suggests an **increasing capability to scale operations across the Latin American (LATAM) region.**
## Tactics, Techniques & Procedures
- Use of **phishing** lures tailored to specific regional targets.
- Deployment of **VBS files**.
- Use of **C2 panels** that were publicly accessible via open directories.
- Lack of effort toward **segmentation or concealment** of infrastructure.
## Targeting
- **Sectors:** Financial sector (Colombian financial institutions specifically mentioned).
- **Geography:** Latin American (LATAM) region, with a primary focus on Colombia.
- **Victims:** Financial organizations within LATAM.
## Tools & Infrastructure
- **Malware families used:** VBS files (implied malicious scripts).
- **Infrastructure (C2, domains, IPs):** C2 panels and VBS files were found publicly accessible via open directories, showing minimal segmentation. *No specific defanged URLs or IPs were included in the provided text.*
## Implications
Blind Eagle represents a persistent, low-sophistication threat that achieves success through well-executed, regionally-focused phishing campaigns. Their continued scalability across LATAM suggests a rising threat level for financial institutions in the region who may overlook less technically complex threats.
## Mitigations
- Maintain heightened vigilance for banking-themed emails.
- Enforce robust email filtering.
- Regularly train staff to identify localized phishing techniques.
- Utilize advanced email filtering solutions (e.g., Trustwave MailMarshal) to detect and block malicious emails containing harmful attachments or links.
- Proactive monitoring for regionally targeted infrastructure and threat indicators.