New tools, infection chain part of Blind Eagle comeback

Colombia- and Ecuador-based organizations are being targeted by the Spanish-speaking threat group Blind Eagle, also known as APT-C-36, which has reemerged with a strengthened toolset and infection chain, The Hacker News reports. Blind Eagle has targeted banks including Banco AV Villas, BBVA, Banco Caja Social, Banco de Bogota, Bancoomeva, Banco Popular, Colpatria, Davivienda, and TransUnion with phishing emails containing a malicious link that triggers Quasar RAT deployment, according to a Check Point report. Meanwhile, a related campaign aimed at both countries involves the impersonation of Ecuador's Internal Revenue Services to facilitate a multi-stage attack chain exploiting the mshta.exe binary to download the ByAV2.py script that executes a Meterpreter payload, as well as the mp.py script, which is also a Meterpreter artifact. "Blind Eagle is a strange bird among APT groups. Judging by its toolset and usual operations, it is clearly more interested in cybercrime and monetary gain than in espionage," said researchers.