Read the original article: Blind Eagle Targeted Attack: Using Threat Intelligence Tools for IoC Analysis and Expansion
Blind Eagle is a South American threat actor group believed to be behind APT-C-36 and that has been active since at least 2018. It primarily targets Colombian government institutions and large corporations in the financial, petroleum, and professional manufacturing industries.
Over time, researchers from QiAnXin Threat Intelligence Center have accumulated a list of the threat’s indicators of compromise (IoCs), spoofed and affected organizations, and malicious attachment and malware MD5 hashes that would serve potential targets well. This list includes:
- 13 spoofed companies and government institutions
- Nine affected organizations
- 28 malicious document MD5 hashes
- 62 Trojan MD5 hashes
- Six malicious domains
- Eight malicious URLs
- Nine RAR archive passwords
This expanded analysis will, however, only focus on the malicious domain IoCs. We used two threat intelligence tools to add yet unpublished artifacts that may be of interest.
Expanding the IoC List with Threat Intelligence Tools
2 Additional IP Address Artifacts
We began by subjecting the six domains from the original IoC list to a bulk WHOIS lookup to see if we can obtain registrant email addresses, names, or organizations. But we did not get any other information as all of the domains’ WHOIS records were redacted for privacy. The Blind Eagle threat actors did their due diligence to not reveal any personally identifiable information (PII) that way.
We then put the six domains from the original list through reverse Domain Name System (DNS) searches. DNS Lookup API gave us the following related IP addresses:
| Domains from QiAnXin Threat Intelligence Center | IP Addresses from DNS Lookup API |
|---|---|
| diangovcomuiscia[.]com | 154[.]88[.]101[.]205 |
| linkpc[.]net | 67[.]214[.]175[.]69 |
| publicvm[.]com | 67[.]214[.]175[.]69 |
Interestingly, two of the domains resolved to the same IP address — 67[.]214[.]175[.]69, which was dubbed “malicious” by six engines on VirusTotal for being a malware host.
The IP address was also tagged “malicious” on AbuseIPDB after being reported 442 times for reasons that include:
- Secure Shell (SSH) brute-forcing
- Port scanning
- Relations to a web app attack
- Bot activity
- Web/Email spamming
- Distributed denial-of-service (DDoS) attack
- Hacking
- File Transfer Protocol (FTP) brute-forcing
- Phishing
- Voice over Internet Protocol (VoIP) fraud
- Open proxy hacking
- Using a Virtual Private Network (VPN)-protected IP address
- SQL injection
- IP spoofing
- Host compromise
- Internet of Things (IoT) device hacking
8 Additional Domain Artifacts
After obtaining the IP addresses the domains in the original list resolved to, we subjected them to reverse IP/DNS searches. Reverse IP/DNS Lookup gave us the following list of connected domains:
| IP Addresses | Number of Connected Domains | Domains |
|---|---|---|
| 154[.]88[.]101[.]205 | 4 | diangovcomuiscia[.]comeapoch[.]comgo-aheadwebshop[.]comwww[.]go-aheadwebshop[.]com |
| 67[.]214[.]175[.]69 | 4 | box6[.]dnsexit[.]comlinkpc[.]netpublicvm[.]comthinkvm[.]com |
Out of the eight domains we got from the reverse IP/DNS searches, it’s worth noting that:
The domains diangovcomuiscia[.]com and publicvm[.]com that resolved to one of the IP addresses each are also part of QiAnXin Threat Intelligence Center’s IoC list.
The domains eapoch[.]com, go-aheadwebshop[.]com, dnsexit[.]com, linkpc[.]net, and thinkvm[.]com, meanwhile, are additional threat artifacts. Of these five domain names, linkpc[.]net is dubbed “malicious” on VirusTotal. A search on Screenshot Lookup told us that the domain is not even in use by a website. It is, if the resulting page is to be believed, available for any interested party’s use free of charge. That may just be a clever ruse to trick people into clicking a likely malicious link embedded on the webpage, though this statement would require further investigation. Given that, it may be considered safe to block access to it from an organizations’ networks.
And even if the other four additional domains are benign, it may also considered best to block network access to them as well since they share IP addresses with confirmed APT-C-36 IoCs.
To stay truly protected from Blind Eagle and APT-C-36, it is advisable to subject publicized IoCs to further research and analysis using domain and IP intelligence tools. As this short study showed, at least one more IP address (i.e., 67[.]214[.]175[.]69) and one additional domain (i.e., linkpc[.]net) should probably be included in company blacklists.
Read the original article: Blind Eagle Targeted Attack: Using Threat Intelligence Tools for IoC Analysis and Expansion