Check Point Research has detected a series of ongoing cyberattacks targeting Colombian institutions and government entities, which have been traced back to the notorious cyber threat group Blind Eagle (aka APT-C-36) believed to be originated from South America.
Blind Eagle is an advanced persistent threat (APT) group with a long history of cyber espionage and criminal activity. The group, which has been operational since 2018, primarily targets government institutions, financial organizations, and critical infrastructure in Colombia and other Latin American countries.
The threat actor leverages phishing attacks as a primary method of intrusion, where it send emails with malicious attachments or links to unsuspecting victims. Once a victim clicks on the link or opens the attachment, malware is deployed onto their system. Among the tools commonly used by Blind Eagle are Remote Access Trojans (RATs) such as NjRAT, AsyncRAT, and Remcos, which allow the group to gain remote control over infected devices.
In the recent campaign, the group has been observed exploiting CVE-2024-43451, a vulnerability that exposes a user’s NTLMv2 hash, enabling attackers to authenticate as the user via pass-the-hash or relay attacks. The flaw was patched by Microsoft on November 12, 2024. Just days after the patch was released Blind Eagle incorporated an exploit into its attack campaigns
The .url files employed in the attacks do not exploit CVE-2024-43451 directly, but they trigger a WebDAV request that notifies attackers when the file is downloaded.
While the .url files used by Blind Eagle do not directly expose NTLMv2 hashes, they rely on similar user interactions, such as right-clicking, deleting, or dragging the file, to trigger a WebDAV request. Once the file is clicked, the next-stage payload is downloaded and executed, allowing the attackers to gain control of the infected system.
Blind Eagle's most recent campaigns have focused on Colombian judicial institutions, government entities, and private organizations. A particularly significant wave of infections occurred around December 19, 2024, where more than 1,600 victims were impacted, underscoring the scale and precision of the group's operations. The group has made extensive use of legitimate file-sharing platforms, including Google Drive and Dropbox, to distribute their malicious payloads, although recent campaigns have seen a shift toward using Bitbucket and GitHub.
The group has continued to rely on widely available commodity malware, including a .NET-based RAT known to be a variant of PureCrypter, which is packaged using a Packer-as-a-Service tool called HeartCrypt. The final payload, Remcos RAT, is delivered as the last stage of the attack, providing the attackers with remote access to infected systems.
Blind Eagle has also expanded its toolkit with phishing campaigns that have proven to be highly successful. Early March 2024 saw the group impersonating Colombian banks in phishing attempts that resulted in the collection of over 8,000 pieces of Personally Identifiable Information (PII). The PII stolen in these campaigns can be used for identity theft, financial fraud, and further targeted attacks.
