Home / Industry

Blind Eagle Targeted Attack: Using Threat Intelligence Tools for IoC Analysis and Expansion

Blind Eagle is a South American threat actor group believed to be behind APT-C-36 and that has been active since at least 2018. It primarily targets Colombian government institutions and large corporations in the financial, petroleum, and professional manufacturing industries.

Over time, researchers from QiAnXin Threat Intelligence Center have accumulated a list of the threat’s indicators of compromise (IoCs), spoofed and affected organizations, and malicious attachment and malware MD5 hashes that would serve potential targets well. This list includes:

  • 13 spoofed companies and government institutions
  • Nine affected organizations
  • 28 malicious document MD5 hashes
  • 62 Trojan MD5 hashes
  • Six malicious domains
  • Eight malicious URLs
  • Nine RAR archive passwords

This expanded analysis will, however, only focus on the malicious domain IoCs. We used two threat intelligence tools to add yet unpublished artifacts that may be of interest.

Expanding the IoC List with Threat Intelligence Tools

2 Additional IP Address Artifacts

We began by subjecting the six domains from the original IoC list to a bulk WHOIS lookup to see if we can obtain registrant email addresses, names, or organizations. But we did not get any other information as all of the domains’ WHOIS records were redacted for privacy. The Blind Eagle threat actors did their due diligence to not reveal any personally identifiable information (PII) that way.

We then put the six domains from the original list through reverse Domain Name System (DNS) searches. DNS Lookup API gave us the following related IP addresses:

Domains from QiAnXin Threat Intelligence CenterIP Addresses from DNS Lookup API
diangovcomuiscia[.]com154[.]88[.]101[.]205
linkpc[.]net67[.]214[.]175[.]69
publicvm[.]com67[.]214[.]175[.]69

Interestingly, two of the domains resolved to the same IP address—67[.]214[.]175[.]69, which was dubbed “malicious” by six engines on VirusTotal for being a malware host.

The IP address was also tagged “malicious” on AbuseIPDB after being reported 442 times for reasons that include:

  • Secure Shell (SSH) brute-forcing
  • Port scanning
  • Relations to a web app attack
  • Bot activity
  • Web/Email spamming
  • Distributed denial-of-service (DDoS) attack
  • Hacking
  • File Transfer Protocol (FTP) brute-forcing
  • Phishing
  • Voice over Internet Protocol (VoIP) fraud
  • Open proxy hacking
  • Using a Virtual Private Network (VPN)-protected IP address
  • SQL injection
  • IP spoofing
  • Host compromise
  • Internet of Things (IoT) device hacking

8 Additional Domain Artifacts

After obtaining the IP addresses the domains in the original list resolved to, we subjected them to reverse IP/DNS searches. Reverse IP/DNS Lookup gave us the following list of connected domains:

IP AddressesNumber of Connected DomainsDomains
154[.]88[.]101[.]2054diangovcomuiscia[.]com
eapoch[.]com
go-aheadwebshop[.]com
www[.]go-aheadwebshop[.]com
67[.]214[.]175[.]694box6[.]dnsexit[.]com
linkpc[.]net
publicvm[.]com
thinkvm[.]com

Out of the eight domains we got from the reverse IP/DNS searches, it’s worth noting that:

The domains diangovcomuiscia[.]com and publicvm[.]com that resolved to one of the IP addresses each are also part of QiAnXin Threat Intelligence Center’s IoC list.

The domains eapoch[.]com, go-aheadwebshop[.]com, dnsexit[.]com, linkpc[.]net, and thinkvm[.]com, meanwhile, are additional threat artifacts. Of these five domain names, linkpc[.]net is dubbed “malicious” on VirusTotal. A search on Screenshot Lookup told us that the domain is not even in use by a website. It is, if the resulting page is to be believed, available for any interested party’s use free of charge. That may just be a clever ruse to trick people into clicking a likely malicious link embedded on the webpage, though this statement would require further investigation. Given that, it may be considered safe to block access to it from an organizations’ networks.

And even if the other four additional domains are benign, it may also considered best to block network access to them as well since they share IP addresses with confirmed APT-C-36 IoCs.


To stay truly protected from Blind Eagle and APT-C-36, it is advisable to subject publicized IoCs to further research and analysis using domain and IP intelligence tools. As this short study showed, at least one more IP address (i.e., 67[.]214[.]175[.]69) and one additional domain (i.e., linkpc[.]net) should probably be included in company blacklists.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Brand Protection

Sponsored byAppdetex

IPv4 Markets

Sponsored byIPXO

Cybersecurity

Sponsored byVerisign

Domain Management

Sponsored byMarkMonitor

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API