In a recent cyberespionage campaign, the BlindEagle hackers have once again targeted Colombian government institutions, demonstrating a sophisticated approach to bypass email security controls. A specific operation focused on an agency within the Ministry of Commerce, Industry, and Tourism utilized a compromised internal email account to send highly convincing phishing messages that evaded standard security protocols like SPF, DKIM, and DMARC.
These emails, designed to appear as official notifications from the Colombian judicial branch, falsely referenced a labor lawsuit. The attackers leveraged a sense of urgency and the threat of legal action to entice recipients into downloading an attached SVG image. This social engineering tactic is central to BlindEagle’s effectiveness in breaching organizational defenses and initiating their multi-layered attack sequence.
BlindEagle Hackers Abuse Trust and Bypass Email Security
The method employed by the BlindEagle hackers to circumvent email security is particularly noteworthy. By compromising an existing internal email account, they were able to generate phishing messages that passed authentication checks. This tactic of impersonating legitimate internal communications is a powerful tool for threat actors looking to gain initial access
Following the initial compromise via the SVG attachment, the attack chain, as analyzed by Zscaler researchers, reveals a complex, multi-stage process. The malicious actors employ obfuscation techniques and leverage legitimate web services to conceal their activities and evade detection by security software.
When a victim interacts with the SVG attachment, they are redirected to a deceptive web portal. This portal is designed to closely mimic a legitimate government website, further enhancing the phishing attempt. The portal then automatically delivers a malicious JavaScript file, initiating a fileless infection sequence.
Infection Mechanism and Payload Delivery
The infection mechanism is intricate, involving nested scripts and steganography to deobfuscate payloads. Custom algorithms are used to reconstruct executable code from arrays of integers, as illustrated by the deobfuscation code snippet analyzed by security researchers. This process is designed to be difficult for traditional security solutions to unravel.
This sequence ultimately triggers a PowerShell command executed via Windows Management Instrumentation. This command is crucial for downloading the next stage of the attack. The decoded BlindEagle PowerShell command retrieves a PNG image hosted on the Internet Archive that contains a hidden payload integrated using steganography.
The retrieved payload is identified as the Caminho downloader, a malware variant with apparent Portuguese origins, indicated by internal argument names like “caminho.” This downloader’s purpose is to fetch the final payload from a Discord Content Delivery Network (CDN) URL. Specifically, it targets a text file named AGT27.txt.
Once the Caminho downloader accesses the URL, it decodes the file directly in memory. This process avoids writing the malicious payload to disk, which is a common evasion technique against endpoint detection and response (EDR) systems. The final stage involves injecting the DCRAT Remote Access Trojan (RAT) into a hollowed-out MSBuild.exe process.
The use of MSBuild.exe, a legitimate Windows build tool, to host the DCRAT RAT is a sophisticated obfuscation technique. This allows the attackers to maintain full control over the compromised system, enabling actions like keylogging and data exfiltration, all while appearing to operate within a trusted Windows process. This advanced persistent threat (APT) group’s continued targeting of Colombian government entities highlights the ongoing need for robust cybersecurity measures and vigilance against evolving phishing and malware delivery tactics.