Unseen Wings – How Blind Eagle Hackers Deploy Open-Source RATs and Ciphers to Evade Static Detection

In a recent detailed investigation by Trustwave SpiderLabs, the threat group Blind Eagle (APT-C-36) has been linked with the Russian bulletproof hosting provider Proton66.

This group has been actively targeting Latin American organizations, with a pronounced focus on Colombian financial institutions, including Bancolombia, BBVA, Banco Caja Social, and Davivienda.

The analysis sheds light on how Blind Eagle leverages open-source Remote Access Trojans (RATs), Visual Basic Script (VBS) loaders, and simple yet effective obfuscation techniques to bypass static malware detection.

Infrastructure and Attack Techniques

Blind Eagle’s operations pivot around infrastructure hosted on Proton66-associated IP addresses, notably the IP 45.135.232[.]38.

The group extensively uses free Dynamic DNS (DDNS) services, particularly DuckDNS, to register domains with consistent naming patterns starting from August 2024.

These domains host phishing pages that mimic legitimate Colombian bank portals and VBS scripts, serving as the initial infection vector.

The VBS files are obfuscated using a subscription-based tool called Vbs-Crypter, advertised on Telegram channels such as “Crypters and Tools.”

This crypter complicates static detection by packing and encrypting the scripts. The VBS loaders perform several critical actions:

• Privilege Escalation: They check if running with administrator rights and, if not, re-execute themselves with elevated privileges using Windows scripting techniques.
• Defender Exclusion: Upon escalation, the scripts add Defender exclusions for the entire C:\ drive, reducing the chance of detection.
• Registry Cleanup: They delete Windows Registry keys related to COM/ActiveX classes (Software\Classes), CLSID entries, and WOW6432Node paths to erase forensic traces.
• Persistence: Scheduled tasks are created (e.g., schtasks /create /tn coJb /tr "%TEMP%\GLPd.vbs" /sc minute /mo 1) to maintain persistence on infected machines.

After these initial steps, the VBS scripts decode embedded Base64 strings and execute PowerShell commands to download second-stage payloads from public paste sites like paste.ee, textbin.net, and file hosting services such as gofile.io.

Use of Open-Source RATs and Botnet Management

The second-stage payloads are typically commodity RATs, primarily AsyncRAT and Remcos, disguised as DLL files with .txt extensions. These RATs establish command and control (C2) connections to publicly accessible management panels.

One notable discovery was a botnet panel with a Brazilian Portuguese interface, managing over 260 infected hosts, primarily located in Argentina. The panel provides operators with comprehensive control capabilities, including:

• Executing arbitrary commands on compromised systems.
• Exfiltrating files.
• Deploying additional payloads via URLs.

Interestingly, the threat actors show minimal operational security (OpSec). Their infrastructure hosts open directories containing identical malicious files, phishing kits, and VBS loaders.

The phishing pages replicate bank login portals almost perfectly, aiming to harvest user credentials.

Implications and Defense Recommendations

Blind Eagle’s campaign exemplifies how relatively unsophisticated infrastructure and publicly available tools can still inflict significant damage, especially when combined with region-specific phishing lures.

The attackers prioritize rapid deployment and accessibility over stealth or infrastructure concealment, making detection possible but requiring vigilance.

Organizations in Latin America, particularly financial institutions, should adopt the following measures:

• Robust Email Filtering: Deploy advanced solutions, such as Trustwave MailMarshal, to block malicious attachments and links.
• Endpoint Monitoring: Monitor for suspicious VBS scripts, unusual scheduled tasks, and modifications to Defender exclusions.
• Phishing Awareness Training: Educate staff on recognizing localized phishing attempts mimicking trusted banks.
• Network Monitoring: Track connections to known DDNS services (e.g., DuckDNS) and suspicious paste sites.

Indicators of Compromise (IoCs)

• IP Address: 45.135.232[.]38
• Domains: Multiple DuckDNS subdomains with consistent naming patterns (e.g., *.duckdns.org)
• Payload Hosting: paste.ee, textbin.net, gofile.io
• Malware: AsyncRAT, Remcos variants
• Scheduled Task Names: e.g., coJb

Blind Eagle’s campaign is a stark reminder that even low-complexity threat actors can leverage open-source tools and basic obfuscation to evade detection and compromise high-value targets.

Vigilance, combined with layered defenses and regional threat intelligence, remains crucial in countering such evolving threats.