Full Report
Trustwave SpiderLabs has assessed with high confidence that the threat group Blind Eagle, aka APT-C-36, is associated with the Russian bulletproof hosting service provider Proton66. Blind Eagle is a threat actor actively targeting organizations across Latin America, with a notable focus on Colombian financial institutions.
Analysis Summary
# Threat Actor: Blind Eagle (APT-C-36)
## Attribution & Identity
* **Primary Identification:** Blind Eagle, also known as APT-C-36.
* **Known Associations:** Assessed with high confidence to be associated with the **Russian bulletproof hosting service provider Proton66**.
## Activity Summary
* Blind Eagle is an actively targeting threat group focusing on organizations across Latin America.
* There is a notable historical and current focus on **Colombian financial institutions**.
* The threat actors exhibit an increasing capability to scale operations across the broader **Latin American (LATAM) region**.
## Tactics, Techniques & Procedures
* **Infrastructure:** Minimal effort toward segmentation or concealment of infrastructure (C2 panels, VBS files were publicly accessible via open directories).
* **Delivery:** Utilizes phishing lures tailored to specific regional targets, often banking-themed.
## Targeting
* **Sectors:** Financial Services (notably banking institutions).
* **Geography:** Latin America (LATAM), with a specific focus on **Colombia**.
* **Victims:** Colombian financial institutions.
## Tools & Infrastructure
* **Malware Families Used:** VBS files (Visual Basic Scripting files) were mentioned in the context of publicly accessible infrastructure.
* **Infrastructure (C2, domains, IPs):** C2 panels were identified as publicly accessible via open directories, often lacking basic segmentation. (No specific defanged URLs or IPs were provided in the provided text snippet).
## Implications
* The group demonstrates that unsophisticated threat infrastructures (due to lax segmentation) can still result in successful compromises when paired with well-targeted, localized phishing lures.
* The threat is actively scaling across the LATAM region beyond its initial focus.
## Mitigations
* Maintain heightened vigilance around banking-themed emails.
* Enforce robust email filtering capabilities.
* Regularly train staff to identify localized phishing techniques.
* Utilize advanced email filtering solutions (e.g., Trustwave MailMarshal) to detect and block malicious attachments or links.
* Implement proactive monitoring for regionally targeted infrastructure and threat indicators.