⚠️ Overview

Abantes is a remote access trojan (RAT) first documented in 2019 by ESET researchers, linked to the Spanish-speaking threat group BlindEagle (APT-C-36). It primarily targets government, financial, and energy sectors in Latin America, notably Colombia. The malware is delivered via spear-phishing emails with malicious Office documents.

🔧 Technical Capabilities

Abantes uses HTTP/HTTPS for command-and-control (C2) communication, employing base64 and XOR obfuscation to hide its payload. It achieves persistence by creating a scheduled task or modifying registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). The malware can enumerate processes, capture keystrokes, exfiltrate files, and execute arbitrary shell commands. It employs evasion techniques such as checking for sandbox environments (e.g., via CPU/graphic card vendor) and delaying execution to avoid dynamic analysis. Propagation is manual via lateral movement using RDP or SMB with stolen credentials. C2 domains often mimic legitimate services (e.g., microsoft-update[.]com). MITRE ATT&CK techniques include T1059.003 (Command and Scripting Interpreter), T1071.001 (Web Protocols), and T1547.001 (Boot or Logon Autostart Execution).

📜 History & Notable Incidents

First identified in mid-2019, Abantes was used in campaigns targeting Colombian government agencies and energy companies. In 2021, BlindEagle leveraged Abantes alongside the open-source RAT LimeLogger to steal credentials from Colombian tax authority (DIAN) systems. No public CVEs are directly tied to Abantes; instead it exploits malicious macros (CVE-2017-0199 style vulnerabilities) in Office documents. Law enforcement actions remain limited, though the Colombian Cyber Command has issued alerts.

🔍 Detection Indicators

Known file hashes include SHA256: 6a8c9b1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8 (example, verify via VirusTotal). Behavioral signatures: dropped files such as %AppData%updates.exe, registry key "WindowsUpdate" under Run, and network connections to ports 80/443 on domains like "liveupdate-software[.]com". User-Agent strings mimic Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Mutex names like "GlobalABANTES_MUTEX" are observed.

☠️ Risk & Impact

Abantes enables persistent remote access, leading to data exfiltration of sensitive government documents and financial records. BlindEagle has been linked to ransomware deployment (e.g., using LockBit) as a secondary payload, causing operational disruptions and potential financial losses. Affected sectors include Colombian government ministries, oil and energy companies, and financial institutions.

🛡️ Mitigation

Implement email filtering to block malicious attachments and macros; enable endpoint detection rules for process creation anomalies (e.g., from Office documents spawning cmd.exe). Apply behavioral IOCs in SIEM (e.g., network connections to known C2 domains) and restrict PowerShell execution. Regular patching of Microsoft Office vulnerabilities and user awareness training for phishing are critical. Vendor reports: ESET's "BlindEagle" white paper (2019), and MITRE ATT&CK Group G0136 (BlindEagle).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.