|
Blind Eagle is a South American threat actor group believed to be behind APT-C-36 and that has been active since at least 2018. It primarily targets Colombian government institutions and large corporations in the financial, petroleum, and professional manufacturing industries.
Over time, researchers from QiAnXin Threat Intelligence Center have accumulated a list of the threat’s indicators of compromise (IoCs), spoofed and affected organizations, and malicious attachment and malware MD5 hashes that would serve potential targets well. This list includes:
This expanded analysis will, however, only focus on the malicious domain IoCs. We used two threat intelligence tools to add yet unpublished artifacts that may be of interest.
We began by subjecting the six domains from the original IoC list to a bulk WHOIS lookup to see if we can obtain registrant email addresses, names, or organizations. But we did not get any other information as all of the domains’ WHOIS records were redacted for privacy. The Blind Eagle threat actors did their due diligence to not reveal any personally identifiable information (PII) that way.
We then put the six domains from the original list through reverse Domain Name System (DNS) searches. DNS Lookup API gave us the following related IP addresses:
Domains from QiAnXin Threat Intelligence Center | IP Addresses from DNS Lookup API |
---|---|
diangovcomuiscia[.]com | 154[.]88[.]101[.]205 |
linkpc[.]net | 67[.]214[.]175[.]69 |
publicvm[.]com | 67[.]214[.]175[.]69 |
Interestingly, two of the domains resolved to the same IP address—67[.]214[.]175[.]69, which was dubbed “malicious” by six engines on VirusTotal for being a malware host.
The IP address was also tagged “malicious” on AbuseIPDB after being reported 442 times for reasons that include:
After obtaining the IP addresses the domains in the original list resolved to, we subjected them to reverse IP/DNS searches. Reverse IP/DNS Lookup gave us the following list of connected domains:
IP Addresses | Number of Connected Domains | Domains |
---|---|---|
154[.]88[.]101[.]205 | 4 | diangovcomuiscia[.]com eapoch[.]com go-aheadwebshop[.]com www[.]go-aheadwebshop[.]com |
67[.]214[.]175[.]69 | 4 | box6[.]dnsexit[.]com linkpc[.]net publicvm[.]com thinkvm[.]com |
Out of the eight domains we got from the reverse IP/DNS searches, it’s worth noting that:
The domains diangovcomuiscia[.]com and publicvm[.]com that resolved to one of the IP addresses each are also part of QiAnXin Threat Intelligence Center’s IoC list.
The domains eapoch[.]com, go-aheadwebshop[.]com, dnsexit[.]com, linkpc[.]net, and thinkvm[.]com, meanwhile, are additional threat artifacts. Of these five domain names, linkpc[.]net is dubbed “malicious” on VirusTotal. A search on Screenshot Lookup told us that the domain is not even in use by a website. It is, if the resulting page is to be believed, available for any interested party’s use free of charge. That may just be a clever ruse to trick people into clicking a likely malicious link embedded on the webpage, though this statement would require further investigation. Given that, it may be considered safe to block access to it from an organizations’ networks.
And even if the other four additional domains are benign, it may also considered best to block network access to them as well since they share IP addresses with confirmed APT-C-36 IoCs.
To stay truly protected from Blind Eagle and APT-C-36, it is advisable to subject publicized IoCs to further research and analysis using domain and IP intelligence tools. As this short study showed, at least one more IP address (i.e., 67[.]214[.]175[.]69) and one additional domain (i.e., linkpc[.]net) should probably be included in company blacklists.
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byVerisign