APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations


APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations (Feb 18, 2019)

Researchers from 360Netlab have been tracking a suspected South American-based Advanced Persistent Threat (APT) group, "Blind Eagle" (also known as APT-C-36). The group is believed to have been active since April 2018 and primarily target Colombian government entities and other various industries. The group utilises phishing lures with attachments that contain malware as the initial infection vector. The goal of the APT group is to establish a backdoor into the intended targets to then obtain a foothold and then move laterally once in a network for reconnaissance purposes. The phishing emails and attachments are tailored to each industry/entity the group is targeting to potentially increase the possibility that a recipient will open the email and attachment. The attachment requests that macros be enabled and, if allowed, will begin the installation process of the "Imminent" backdoor.

Recommendation: Files that request content be enabled to properly view the document, or emails with password-protected files with the passwords in the email body are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted directly to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.