What’s scarier than an eagle with a sharp beak? One with sharp code.
It’s not every day you see an eagle hunting with a RATs or Remote Access Trojans, but in Latin America's cyber landscape, this unusual partnership is causing serious trouble. In this blog, we'll dive into the recent campaign by the hacking group Blind Eagle, exploring their tactics, techniques, and procedures (TTPs), and analyzing some of their e-crime arsenals that are helps tighten their grip in the region.
Introduction
Latin America has recently become a hotspot for a new wave of cyberattacks, driven by the region's rapid digital growth. This surge in digitalization has outpaced its cybersecurity infrastructure, making Latin America an attractive target for cybercriminals. The increasing reliance on digital services, combined with varying levels of cybersecurity maturity across different countries, has created a fertile ground for sophisticated attacks.
Blind Eagle: Who and What are they?
Blind Eagle, also known as APT-C-36, has become a formidable force in Latin America by wielding Remote Access Trojans (RATs) to infiltrate systems across the region. Active since at least 2018, this hacking group has targeted a wide range of industries—including government institutions, financial firms, and the energy sector.
They have focused their attacks on countries like Colombia, Ecuador, Chile, Brazil and Panama. By disguising their spear phishing campaigns as communications from government entities, Blind Eagle lures unsuspecting victims into digital traps, resulting in widespread data theft and financial damage. Using RATs like njRAT, LimeRAT, BitRAT, JanelaRAT and AsyncRAT, they continue to be a growing menace across the region.
Evading Process-Based Defenses: Understanding Process Hollowing
One of Blind Eagle's key tactics, techniques, and procedures (TTPs) is process hollowing, a method they use to evade detection by security software. By injecting their malicious code into legitimate processes, Blind Eagle can execute their actions under the guise of trusted applications, effectively bypassing process-based defenses.
For example, a Remote Access Trojan named “XtremeRAT” uses process hollowing as an evasion technique:
- First, the malware creates and launches a legitimate process in a suspended state.
- Next, the malware unmaps the legitimate process’s memory, effectively hollowing it out.
- Then, the malware modifies the process's memory permissions to
PAGE_EXECUTE_READWRITE
, allowing it full control over the hollowed process. - Finally, the malware injects its malicious code into the hollowed process, resumes the process thread, resulting in the execution of the malicious code under the context of a legitimate process.
Blind Eagle: e-Crime Arsenals Analysis
Malware campaigns typically involve multiple stages, each with a specific role. The attack often starts with social engineering, such as spear-phishing, where a victim is tricked into executing a ‘dropper’—a malware that installs additional malicious components. This is followed by a ‘loader,’ which prepares and executes the final payload, often a Remote Access Trojan (RAT), that performs the main malicious functions.
In this analysis, we’ll extract Indicators of Compromise (IOCs) from the dropper and examine the RATs used by the threat actors.
Static Analysis: Understanding The RAT dropper
By performing Malware Static Analysis, this specific identification means that the file, loader.msi is a legitimate Windows Installer package format.
From a malware analyst perspective, .msi files are often used as droppers or loaders for malicious software. The use of a legitimate format like CFBF can help the malware evade detection by appearing as a normal installer to less thorough analysis methods.
With a further look, we identified that this sample is packed by the total number of randomness detected by our tool.
Dynamic Analysis: IOCs Gathering Using Extracted MSI Package
Using native Windows tools, we extracted the .msi file, and here are our findings:
The extracted file is a .wxs file, which is a source file for the WiX Toolset.
What is WiX toolset? WiX is used by developers to create Windows Installer packages from XML code. The .wxs file typically defines the structure and contents of an .msi installer, including the files to be installed, registry modifications, and other installation tasks. WiX Toolset
Returning to our sample, the file size is 429 KB, which is unusually large for an XML file. This immediately raises suspicion, suggesting that it might contain more than just standard XML markup. Upon further inspection, we discovered that this XML file contains embedded code, which is a significant RED FLAG. Several indicators make this XML file particularly concerning:
- The XML file includes embedded code, which is atypical for standard XML files and suggests possible malicious intent.
- The file contains a series of readable references to Windows-related tools such as cmd, schtasks, and others, which are often used in scripts for system manipulation.
- The XML file uses unusual variable names that are passed as arguments to these Windows commands, which could indicate an attempt to obfuscate malicious activities.
Breaking the Cipher: Decrypting the Encrypted Dropper
We ran a Python script to automate our decryption process, revealing an odd-looking URL used by the dropper to download additional payloads from a remote command and control server.
From an Incident Response perspective, identifying this URL is crucial, as it allows us to quickly find endpoints with a history of connecting to it, reducing the Mean Time to Detect. While threat actors may switch domains, setting up a new C2 server takes time, potentially disrupting their campaign temporarily. This URL serves as a valuable IOC for threat intel sharing.
Eagle’s Prey: A Sneak Peak to Remote Access Trojan
In this section, we'll examine the Remote Access Trojan (RAT) sample we obtained. This analysis will be conducted statically, as we've set up a lab titled Code Breaker on the Blue Team Labs Online platform. In this lab, you'll have the opportunity to analyze the RAT sample in-depth, extract Indicators of Compromise (IOCs), and gain a comprehensive understanding of its operation using a .NET code viewer tool—all without needing to use your personal sandbox.
While performing static analysis in dnSpy, you might encounter functions that appear obfuscated or encrypted, a common tactic used by threat actors to hinder analysis. However, some parts of the code may remain human-readable, making static analysis effective. For instance, in our case, we identified readable functions like SetWindowHookEx
, FindWindow
, and GetWindow
, which are typically associated with keylogger malware. These findings suggest that this malware is capable of capturing user input, indicating highly suspicious behavior.
RAT Extermination: Rule Writing for Finding RAT Infected Machines
Analyzing a sample without creating a detection rule is like letting a burglar roam your house, watching them work, and then letting them leave as if nothing happened. It's essential to take action.
Suricata Rules: Capturing Network IOCs
In this section, here’s a sample Suricata rule for detecting the presence of a dropper or downloader in your environment.
detection-rules/MalwareCampaign_LatinAmerica2024/Suricata Rules at main · SecurityBlueTeam/detection-rules
1) This rule will trigger an alert if any HTTP traffic connects to a host that contains the domain presteservicosaz[.]pro
.
alert http any any -> any any (msg:"Suspicious connection to presteservicosaz.pro"; flow:established,to_server; content:"Host: presteservicosaz.pro"; http_header; classtype:trojan-activity; sid:100002; rev:1;)
2) This rule will trigger an alert if the HTTP request URI contains "Vicosaza" regardless of the file requested. The /rain.png
part is optional and not required for the alert to trigger.
alert http any any -> any any (msg:"Suspicious URL containing Vicosaza"; flow:established,to_server; content:"/Vicosaza"; http_uri; classtype:trojan-activity; sid:100003; rev:1;)
Endpoint Detection: Leveraging YARA Rules
Here’s a sample YARA rule that combines file size, specific strings found in the dropper’s memory, and the SHA256 hash of the sample:
detection-rules/MalwareCampaign_LatinAmerica2024/YARA at main · SecurityBlueTeam/detection-rules
import "hash"
rule LatinAmerica_MalwareCampaign_Loader
{
meta:
description = "YARA rule for detecting the dropper used in Latin America Malware Campaign"
author = "Security Blue Team"
date = "2024-09-02"
hash = "236a03c3345f710b5d137e9ae3298847ed83e61de998f5b600ac440cccc4fc23"
strings:
$s1 = "SoftwareDetector.dll" ascii wide
$s2 = "OnDetectSoftware" ascii wide
$s3 = "Secur32.dll" ascii wide
$s4 = "GetLastError" ascii wide
$s5 = "LoadLibraryW" ascii wide
$s6 = "GetProcAddress" ascii wide
$s7 = "FreeLibrary" ascii wide
$s8 = "ROOT\\SecurityCenter2" ascii wide
$s9 = "SELECT * FROM AntiVirusProduct" ascii wide
$s10 = "Detected antivirus :" ascii wide
$s11 = "WindowsAzureGuestAgent.exe" ascii wide
$s12 = "function Sleep(seconds)" ascii wide
$s13 = "var StartTime = new Date();" ascii wide
$s14 = "while (datet < (seconds * 1000))" ascii wide
$s15 = "var EndTime = new Date();" ascii wide
condition:
filesize > 5MB and // Ensure the file is larger than 5MB
all of ($s*) and // Match all strings
hash.sha256(0, filesize) == "236a03c3345f710b5d137e9ae3298847ed83e61de998f5b600ac440cccc4fc23" // Ensure the hash matches
}
Latin America Campaign: Final Thoughts
Impact on the Region
The malware campaign's economic and societal impact in Latin America is profound, with increasing financial losses and diminishing public trust in digital services. Government sectors, particularly healthcare, have been heavily disrupted, affecting millions.
Response Efforts
In response, governments and private organizations are bolstering cybersecurity measures, fostering regional cooperation, and pushing for improved cybersecurity awareness and infrastructure.
What’s Next?
The ongoing threat underscores the need for continuous vigilance, intelligence monitoring, employee training, intelligence sharing, and strengthening defense-in-depth strategies.
If you found this topic interesting and you don’t have any exposure to Malware Analysis, Reverse Engineering, Digital Forensics and Incident Response, why not take a look at our gamified blue team lab platform, where we have prepared a lab titled Code Breaker that lets you analyze this type of malware sample.