The threat actor known as Blind Eagle has been linked with high confidence to the Russian bulletproof hosting service Proton66. Trustwave SpiderLabs made this connection by pivoting from the service’s digital assets to discover an active threat cluster. Many threat actors rely on bulletproof hosting providers because these services intentionally ignore abuse reports and legal takedown requests. This makes it easier for attackers to run phishing sites and malware delivery systems without any fear of interruption. The researchers first identified a set of domains with a similar naming pattern beginning in August of 2024.
The phishing pages have been found to mimic legitimate Colombian banks and many other well-known financial institutions.
Some of the specific targets included Bancolombia, BBVA, Banco Caja Social, and the financial services company Davivienda. The threat actor Blind Eagle is well known for its specific targeting of entities within South America. These deceptive websites are engineered by the attackers to harvest user credentials and other very sensitive personal information. The Visual Basic Scripts on the infrastructure act as loaders for publicly available remote access trojans like AsyncRAT.
The VBS payloads that are hosted on the infrastructure come fitted with capabilities to retrieve encrypted executable files. These scripts essentially act as a loader for commodity remote access trojans like AsyncRAT or the Remcos RAT. An analysis of the VBS codes has also revealed significant overlaps with a tool known as Vbs-Crypter. This is a subscription-based crypter service that is used to obfuscate and pack the VBS script payloads. The primary aim of using this service is to avoid detection by standard antivirus and other security solutions.
The campaign also uses privilege escalation and Windows Defender exclusions to maintain its persistent foothold on infected systems.
Trustwave also discovered a botnet panel that allows the attackers to control the infected machines from a remote location. This panel allows the threat actors to retrieve exfiltrated data and interact with all the infected endpoints. The botnet management panel features a Brazilian Portuguese interface and shows hundreds of infected machines in its dashboard. The campaign uses Base64-encoded strings executed via PowerShell and scheduled tasks to ensure system persistence after initial infection. The group’s persistence and ability to adapt its tactics highlights that simple patching is not a standalone defense.
Reference: