The threat actor known as Blind Eagle is attributed to a high degree of confidence in the use of Russian bulletproof hosting service Proton66.
TrustWave SpiderLabs said in a report published last week that this connection can be created by pivoting from Proton66-related digital assets, leading to the discovery of an active threat cluster that leverages visual basic script (VBS) files as the first attack vector and installs shelf remote access trojan (RAT).
Many threat actors rely on bulletproof hosting providers like Proton66, as these services intentionally ignore abuse reports and legal takedown requests. This allows attackers to easily run phishing sites, command and control servers, and malware delivery systems without interruption.
Cybersecurity companies said they have identified a set of domains with similar naming patterns (e.g. gfast.duckdns[.]org, njfast.duckdns[.]org) Starting in August 2024, they all resolved to the same IP address (“45.135.232[.]38”) It is associated with proton 66.
Using dynamic DNS services such as DuckDNS also plays an important role in these operations. Instead of registering a new domain each time, an attacker rotates subdomains tied to a single IP address, making detection more difficult for defenders.
“The domain in question was used to host a variety of malicious content, including phishing pages and VBS scripts, which act as an early stage in malware deployment,” said security researcher Serhii Melnyk. “These scripts act as loaders for second-stage tools, which are publicly available in this campaign and are often limited to open source rats.”
Visual Basic Script (VBS) may seem outdated, but it is a go-to tool for early access due to its compatibility with Windows systems and the ability to run quietly in the background. The attacker uses it to download a malware loader, bypass the antivirus tool, and blend it into normal user activity. These lightweight scripts are often the first step in a multi-stage attack, later deploying remote access trojans (rats), data steelers, or keyloggers.
The phishing page has been discovered by legitimate Colombian banks and financial institutions, including Bancolombia, BBVA, Bangkokaha Social, and Dabi Vienda. Blind Eagle, also known as Aguilaciega, Apt-C-36, and APT-Q-98, is known for its targets for entities in South America, particularly Colombia and Ecuadorian.
Deceptive sites are designed to harvest user credentials and other sensitive information. Hosted on your infrastructure, VBS payloads are equipped with the ability to retrieve encrypted executables from remote servers, essentially serving as a loader for commodity rats such as Asyncrat and Remcos rats.
Furthermore, analysis of the VBS code revealed overlap with VBS-crypter. It is a tool linked to subscription-based crypto services called Cryptors and Tools, which are used to bloat and pack VBS payloads to avoid detection.
TrustWave said it has discovered a botnet panel that allows users to “control infected machines, retrieve detached data and interact with infected endpoints through the wide set of features normally found in the Commodity Rat Management Suite.
This disclosure comes when Darktrace has been targeting Colombian organizations since November 2024 and reveals details of the blind Eagle campaign targeting Colombian organizations by taking advantage of the currently patched Windows flaw (CVE-2024-43451) to download and run the next stage payload.
“The persistence of blind Eagle and the ability to adapt tactics even after patches are released, and the speed at which the group was able to continue using pre-established TTPS highlights, are not essential for timely vulnerability management and patch applications, but not standalone defense,” the company said.
Source link
