In a sophisticated cyberespionage campaign, the BlindEagle threat actor has once again targeted Colombian government institutions.<\/p>\n
This latest operation specifically zeroed in on an agency under the Ministry of Commerce, Industry, and Tourism, leveraging a highly effective strategy to bypass standard email security protocols.<\/p>\n
By compromising an internal email account within the target organization, the attackers sent phishing emails that appeared to originate from a legitimate internal source.<\/p>\n
This method allowed them to circumvent SPF, DKIM, and DMARC checks, ensuring the malicious messages reached their intended victims without triggering alarms.<\/p>\n
The phishing emails<\/a> were crafted to mimic official notifications from the Colombian judicial branch and referenced a fabricated labor lawsuit.<\/p>\n Designed to instill urgency and fear, the messages threatened legal action to pressure recipients to download an attached SVG image.<\/p>\n This social engineering<\/a> tactic effectively lured victims into initiating the infection process.<\/p>\n Following this initial compromise, Zscaler analysts noted<\/a> that the attack chain is remarkably complex, employing multiple layers of obfuscation and legitimate web services to conceal its activities.<\/p>\n When a victim interacts with the SVG attachment, they are redirected to a fraudulent web portal that closely resembles a legitimate government site.<\/p>\n This portal automatically delivers a malicious JavaScript file, triggering a fileless infection sequence that relies on in-memory execution to evade detection by traditional antivirus solutions<\/a>.<\/p>\n The infection mechanism is a multi-stage process involving nested scripts and steganography. The initial JavaScript snippets deobfuscate subsequent payloads using a custom algorithm.<\/p>\n As shown in the code snippet below, the malware reconstructs executable code by processing arrays of integers to build the next stage.<\/p>\n This sequence eventually executes a PowerShell command<\/a> via Windows Management Instrumentation, as detailed in the decoded BlindEagle PowerShell command.<\/p>\n This command retrieves a PNG image from the Internet Archive that contains a hidden payload. The payload is the Caminho downloader, a malware variant of Portuguese origin, as evidenced by internal argument names such as \u201ccaminho\u201d.<\/p>\n This specific downloader is designed to retrieve the final payload from a Discord<\/a> CDN URL, specifically a text file named AGT27.txt. Caminho then connects to the URL and decodes the file in memory.<\/p>\n Finally, the DCRAT Remote Access Trojan is injected into a hollowed-out MSBuild.exe process. This final step provides the attackers with extensive capabilities, including keylogging<\/a> and data exfiltration, granting them full control over the compromised system while hiding within a trusted Windows process.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post BlindEagle Hackers Attacking Organization to Abuse Trust and Bypass Email Security Controls<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"The](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjTsMu8ag4yVLw_hF_ra0RZ-wikUoj8-BlpRFfe1DVoPQw8drAKsb0X5St83XAt7zlVoRDfVBUDbAzr9nLEBLQG-Y_47n640ViPRvw2HT39T8OPYrExUEIh8FZM-ddljlNkV5XNTiQizJ_INK_78tqNQ4bxCf7Gr9h6Q3tjVdfdPieoqGOYAY4RX0ZF2zg\/s16000\/The%2520SVG%2520attachment%2520included%2520in%2520BlindEagle%25E2%2580%2599s%2520phishing%2520email%2520%28Source%2520-%2520Zscaler%29.webp?ssl=1\")
![\"BlindEagle](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhpKVmnG0z9o0gCdDFZHGKByDJOTM8N4YMKc_vEVsxt12xe2MC9jUBwBnSRqjM0tBzmeZvSzFUL1Zgtwcu8nTohWfr8-1pZ_DYN_YnqqibT5Rw_xgw9lV5U2dPgEO-Tg2jIDOr2ERTCHRhYZyhQL4xPXO0hzmEC8AlFY5PQlE_loSgArJug6U2ZAGvKXBA\/s16000\/BlindEagle%2520attack%2520chain%2520%28Source%2520-%2520Zscaler%29.webp?ssl=1\")
Infection Mechanism<\/strong><\/h2>\n
def deobfuscate(obf_code: List[int], step: int) -> str:\n deobf_code = \"\"\n for i in obf_code:\n c = int_to_char(i - step)\n deobf_code += c\n return deobf_code<\/code><\/pre>\n![\"Decoded](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiGXeus1e6Ie_jQUEGoIL8jzB-0Y5TPICg36WfoNi4tRRPmIgF2X43Yomwsqv5QnCzG1sKkygktZqCNXpqaJzbQ3RN0o7RwdtNQUrPZDtqLTjGbNpW-fRvDT3-mJo4ve_9TpavH4t87FUIAZ8tNv_uZL-e74Ra3heAA4AAHleUSBncqHC-DRI6QN52DWDM\/s16000\/Decoded%2520BlindEagle%2520PowerShell%2520command%2520%28Source%2520-%2520Zscaler%29.webp?ssl=1\")