A South American cyberespionage group has been observed impersonating a Colombian government tax agency in recent attacks against key industries in the country, BlackBerry reports.
Tracked as APT-C-36 and Blind Eagle, the threat actor has been active since at least 2019, mainly focused on organizations in Colombia and Ecuador, but also targeting entities in Chile and Spain.
As part of a new campaign in late February, Blind Eagle was seen targeting Colombian organizations in the financial, health, immigration and law enforcement sectors, and a peace negotiation agency in the country.
The attack vector was a spear-phishing email with a PDF attachment, which uses the official email address of the Bogota Chamber of Commerce. To evade spam filters, the attackers used the ‘Bcc’ (Blind Carbon Copy) field instead of the ‘To’ field in their emails.
The message informs the recipient of alleged ‘outstanding obligations’, claiming they are behind with a tax payment and encouraging them to click on a link in the invoice, which is attached to the email as a password-protected PDF.
The link masquerades as the official URL for the website of Colombia’s Directorate of National Taxes and Customs, but instead redirects to a bogus website where the victim is encouraged to view another PDF, which initiates the download of a file from the Discord content delivery network (CDN).
Delivered in the form of a RAR archive, the file contains a VBS script that executes PowerShell code to ultimately infect the victim’s device with the AsyncRAT remote access trojan (RAT). Blind Eagle was also seen using south american cyberspies impersonate colombian government recent campaign
