Mexico. According to the SILIKN investigation unit, which issued the alert, activities and campaigns of the criminal group Blind Eagle, or APT-C-36, were detected in Mexico, a campaign through which it usurps the identity of some government agencies.
It is relevant to note that Blind Eagle is a criminal group of alleged South American origin, suspected of carrying out continuous attacks directed against institutions of the Colombian government, as well as important corporations of that country in the financial sector, oil industry and professional manufacturing, among others.
According to the data collected by SILIKN's research unit, Blind Eagle focuses on strategic-level intelligence and also stealing trade and industrial and intellectual property secrets.
For Víctor Ruiz, founder of SILIKN and certified instructor in cybersecurity, "despite the fact that analysts have detected and revealed the attacks of Blind Eagle, in the last two years, the group has not only not stopped its activities, but its attacks have become increasingly intense."
An analysis by SILIKN's investigative unit reports that, while Blind Eagle has previously attacked targets in Colombia, it has also managed to impact organizations in Ecuador, Chile, Spain, Panama and now Mexico.
Specifically, Blind Eagle has usurped the identity of Colombia's National Directorate of Taxes and Customs, National Civil Registry, Migration, Assistance Office, and National Judicial Department, to name a few, to attack Colombia's own government institutions and companies.
Similarly, "it is launching a similar campaign against government organizations and institutions in Mexico, whose objective is to distribute and infect victims with RAT-type malware, which allows attackers to perform different actions on infected devices, ranging from the theft of passwords and information, to screenshots and audio recordings. to later send this information to the cybercriminals' servers."
The SILIKN investigation unit has launched a warning because it has been detected that Blind Eagle, in order to increase its number of victims, is developing a campaign through which it usurps the identity of some of the following government agencies, such as the Ministry of Finance and Public Credit Attorney General's Office, the Prosecutor of the Federation Treasury of the Federation (Tesofe), the Financial Intelligence Unit (UIF), the Banking, Securities and Savings Unit, the Tax Administration Service (SAT), the General Administration of Customs of Mexico (Customs), the National Banking and Securities Commission (CNBV), the National Commission of the Retirement Savings System (Consar), the National Insurance and Bonding Commission (CNSF), the National Bank of the Army, Air Force and Navy (Banjército), and the National Bank of Foreign Trade Institute of Administration and Appraisals of National Assets (INDAABIN).
"Blind Eagle is suspected of being a Spanish-speaking group due to the use of language in their phishing emails. However, it is currently unclear where the criminal group is located and whether its attacks are motivated by espionage or financial gain."
According to the analyses, the attackers target the Windows platform and use phishing emails with RAR extension attachments (compressed files), protected with password to avoid detection. It should be noted that phishing emails use decoys that urge recipients to settle outstanding tax collection obligations. The purpose of criminals is to implant a backdoor and gain a foothold in the target network, which can facilitate the implementation of lateral tracking movement.
Similarly, Blind Eagle uses links to PDF format files, which -- once victims click on the link -- redirect the user to a malicious website and trick them into downloading malware programs. The files that are downloaded have Spanish names that induce users to execute the LimeRAT Trojan that allows communication with the command and control server of the criminal group to perform the function of information theft.
