Advanced persistent threat operation Blind Eagle, also known as APT-C-36, APT-Q-98, and AguilaCiega, has been leveraging Proton66, a Russian bulletproof hosting service, as part of its infrastructure in recent phishing attacks against banks and other financial entities across Colombia, including BBVA, Davivienda, Banco Caja Social, and Bancolombia, reports The Hacker News.
Multiple similarly named domains resolving to a Proton66-linked IP address have been used by Blind Eagle for phishing pages and VBS scripts meant to load second-stage malware, which were usually open-source remote access trojans like Remcos RAT or AsyncRAT, since August, an analysis from Trustwave SpiderLabs researchers revealed. Such VBS codes were also discovered by researchers to be similar to the Vbs-Crypter tool meant to conceal VBS payloads. The findings come after Colombian organizations were reported by Darktrace to have been targeted by Blind Eagle in an attack campaign involving the abuse of the Windows vulnerability, tracked as CVE-2024-43451, that has been ongoing since November.
Multiple similarly named domains resolving to a Proton66-linked IP address have been used by Blind Eagle for phishing pages and VBS scripts meant to load second-stage malware, which were usually open-source remote access trojans like Remcos RAT or AsyncRAT, since August, an analysis from Trustwave SpiderLabs researchers revealed. Such VBS codes were also discovered by researchers to be similar to the Vbs-Crypter tool meant to conceal VBS payloads. The findings come after Colombian organizations were reported by Darktrace to have been targeted by Blind Eagle in an attack campaign involving the abuse of the Windows vulnerability, tracked as CVE-2024-43451, that has been ongoing since November.
