Hackers of the Unseen Eagle Exploit Phishing Tactics to Deploy Remote Access Trojans in Latin America
Cybersecurity investigators have illuminated a danger player identified as Unseen Eagle that has continuously targeted organizations and individuals in Colombia, Ecuador, Chile, Panama, and other countries in Latin America.
The entities under attack come from various areas, including governmental bodies, financial institutions, as well as energy and oil and gas enterprises.
“Unseen Eagle has displayed flexibility in shaping the motives of its cyber invasions and the ability to switch between criminal attacks aimed at financial gain and intelligence-gathering operations,” Kaspersky stated in a report released on Monday.
Also known as APT-C-36, Unseen Eagle is thought to have been active since at least 2018. The suspected Spanish-speaking group is recognized for employing spear-phishing tactics to distribute various publicly accessible remote access trojans, such as AsyncRAT, BitRAT, Lime RAT, NjRAT, Quasar RAT, and Remcos RAT.
Back in March, eSentire explained the utilization of a malware loader named Ande Loader by the adversary to disseminate Remcos RAT and NjRAT.
The initial contact is a phishing email impersonating legitimate governmental organizations and financial institutions, which deceptively urges recipients to take immediate action by clicking on a link pretending to direct them to the official website of the institution being imitated.
These email communications also contain a PDF or Microsoft Word attachment that includes the same link, and sometimes, a few additional details meant to create a sense of urgency and make it appear authentic.
The initial set of links guide users to websites controlled by the threat actors hosting an initial downloader, but only if the recipient is from a nation within the group’s scope. If not, they are directed to the impersonated organization’s website.
“This selective redirection by region serves to avoid the scrutiny and examination of these attacks, preventing the categorization of new malicious websites,” stated the Russian cybersecurity provider.
The initial downloader is typically a compressed ZIP file containing a Visual Basic Script (VBS) that retrieves the subsequent payload from a hardcoded remote server. These servers can vary from image hosting platforms to Pastebin or legitimate services like Discord and GitHub.
The second-stage malicious software, often hidden using steganographic methods, is a DLL or a .NET injector that then connects to another malicious server to fetch the final trojan.
“The group often deploys process injection strategies to execute the trojan within the memory space of a legitimate process, thereby bypassing process-centric defenses,” Kaspersky mentioned.
“The group heavily favors the technique of process hollowing. This involves creating a genuine process in a suspended state, then unloading its memory, substituting it with a malicious payload, and finally resuming the process to initiate the execution.”
The modification of open-source RATs grants Unseen Eagle the freedom to adjust their campaigns as needed, whether for espionage or stealing credentials from Colombian financial services by capturing them from the victim’s browser when specific window titles match pre-defined strings in the malware.
Conversely, altered iterations of NjRAT have been seen with capabilities such as keylogging and taking screenshots to acquire confidential information. Moreover, the updated version supports the installation of additional plugins provided by a server to enhance its capabilities.
The alterations also extend to the attack vectors. Most recently in June 2024, AsyncRAT has been spread via a malware loader named Hijack Loader, indicating a high level of adaptability on the part of the threat actors and showcasing the addition of new techniques to sustain their activities.
“As seemingly simple as Unseen Eagle’s methods and procedures might be, their effectiveness enables the group to maintain a significant level of operation,” concluded Kaspersky. “By consistently carrying out cyber espionage and financial credential theft campaigns, Unseen Eagle remains a notable threat in the region.”
About Author
