A new campaign by the threat actor known as Blind Eagle has been detected by the BlackBerry Research and Intelligence Team. The campaign, which was first detected on February 20, 2023, targets various key industries in Colombia, as well as Ecuador, Chile, and Spain. This suggests a slow expansion of the hacking group's victimology footprint.
The targeted entities include health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in Colombia. The Canadian cybersecurity company said that Blind Eagle, also known as APT-C-36, was recently covered by Check Point Research. The research detailed the adversary's advanced toolset, which comprises Meterpreter payloads that are delivered via spear-phishing emails.
The latest set of attacks by Blind Eagle involves the group impersonating the Colombian government tax agency, the National Directorate of Taxes and Customs (DIAN), to phish its targets. The email messages are designed to look like they are from DIAN and urge recipients to settle "outstanding obligations." However, the email messages contain a link to a PDF file that is hosted on a fake DIAN website. This PDF file deploys malware on the targeted system, effectively launching the infection chain.
According to BlackBerry researchers, "The fake DIAN website page contains a button that encourages the victim to download a PDF to view what the site claims to be pending tax invoices." If the victim clicks on this button, they will download the PDF file and unwittingly infect their system with malware.