APT-C-36, also known as Blind Eagle, is a financially motivated threat group that has been launching indiscriminate attacks against citizens of various countries in South America since at least 2018.
In a recent campaign targeting Ecuador based organizations, CPR detected a new infection chain that involves a more advanced toolset.
The backdoor chosen for this campaign is typically used by espionage campaigns, which is unusual for this group
ACTIVE CAMPAIGNS AGAINST COLOMBIAN TARGETS
For the last few months, we have been observing the ongoing campaigns orchestrated by Blind Eagle, which have mostly adhered to the TTPs described above — phishing emails pretending to be from the Colombian government. One typical example is an email purportedly from the Ministry of Foreign Affairs, threatening the recipient with issues when leaving the country unless they settle a bureaucratic matter.
Such emails usually feature either a malicious document or a malicious link, but in this case, the attackers said “why not both?” and included both a link and a terse attached PDF directing the unfortunate victim to the exact same link.
In both cases, the link in question consists of a legitimate link-shortening service URL that geolocates victims and makes them communicate with a different “server” depending on the original country (https://gtly[.]to/QvlFV_zgh). If the incoming HTTP request originates from outside Colombia, the server aborts the infection chain, acts innocent and redirects the client to the official website of the migration department of the Colombian Ministry of Foreign Affairs.
If the incoming request seems to arrive from Colombia, the infection chain proceeds as scheduled. The server responds to the client with a file for download. This is a malware executable hosted on the file-sharing service MediaFire. The file is compressed, similar to a ZIP file, using the LHA algorithm. It is password-protected, making it impervious against naive static analysis and even naive sandbox emulation. The password is found both in the email and in the attached PDF.
The malicious executable inside the LHA is written in .Net and packed. When unpacked, a modified sample of QuasarRAT is revealed.
QuasarRAT is an open source trojan available in multiple sources like Github. The (probably Spanish-speaking) actors behind this APT group have added some extra capabilities over the last few years, which are easy to spot due to the names of functions and variables in Spanish. This process, by which threat actors abuse access to malware sources and each create their own special versions of that malware, is sadly not without precedent in the security landscape and always makes us heave a sad sigh when we encounter it.
Although QuasarRAT is not a dedicated banking Trojan, it can be observed from the sample’s embedded strings that the group’s main goal in the campaign was to intercept victim access to their bank account.
This is a complete list of targeted entities:
Bancolombia Sucursal Virtual Personas
Portal Empresarial Davivienda
BBVA Net Cash
Colpatria – Banca Empresas
Empresarial Banco de Bogota
AV Villas – Banca Empresarial
Bancoomeva Banca Empresarial
Some extra features added to Quasar by this group are a function named “ActivarRDP” (activate RDP) and two more to activate and deactivate the system Proxy:
Along with a few more commands that incur technical debt by impudently disregarding Quasar’s convention for function name and parameter order:
A BETTER CAMPAIGN FEATURING NEWER TOOLS
One specific sample caught our attention as it was related to a government institution from Ecuador and not from Colombia. While Blind Eagle attacking Ecuador is not unprecedented, it is still unusual. Similarly to the campaign described above, the geo-filter server in this campaign redirects requests outside of Ecuador and Colombia to the website of the Ecuadorian Internal Revenue Service:
If contacted from Colombia or Ecuador, the downloaded file from Mediafire will be a RAR archive with a password. But instead of a single executable consisting of some packed RAT, the infection chain, in this case, is much more elaborate:
Inside the RAR archive, there is an executable built with PyInstaller with a rather simplistic Python 3.10 code. This code just adds a new stage in the infection chain:
Usually campaigns by Blind Eagle abuse legitimate file sharing services such as Mediafire or free dynamic domains like “*.linkpc.net”; this case is different, and the next stage is hosted at the malicious domain upxsystems[.]com.
This next-stage downloads and executes yet another next-stage, a script written in Powershell:
The above Powershell checks the system version and downloads the appropriate additional Powershell. This additional OS-specific Powershell checks for installed AV tools and behaves differently based on its findings.
The main difference between each next stage consists in different pieces of code that will try to disable the security solution (for example Windows Defender), but in all cases, regardless of the type of security solution installed on the computer, the next stagewill download a version of python suitable for the target OS and install it:
It will then download two scripts named mp.py and ByAV2.py which will be stored in the user %Public% folder and for which it will create a scheduled task that will run every 10 minutes. For Windows 7 the task will be created by downloading an XML from the C2 “upxsystems[.]com”, while for Windows 8, 8.1, and 10 the malware will create the task using the cmdlet “New-ScheduledTask*”.
In the case of Windows 7, the task is preconfigured to be executed as System and contains the following description
<Description> Mantiene actualizado tu software de Google. Si esta tarea se desactiva o se detiene, tu software de Google no se mantendrá actualizado, lo que implica que las vulnerabilidades de seguridad que puedan aparecer no podrán arreglarse y es posible que algunas funciones no anden. Esta tarea se desinstala automáticamente si ningún software de Google la utiliza. </Description>
It’s written using the kind of Spanish that is commonly spoken in the target countries, which can be noticed for example with the use of “es posible que algunas funciones no anden” instead of “no se ejecuten” or any other variation more common in different geographic regions.
The full description can be translated to:
“Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, which means that security vulnerabilities that may appear cannot be fixed and some features may not work. This task is automatically uninstalled if no Google software uses it.”
After downloading the Python scripts and adding persistence, the malware will try to kill all processes related to the infection.
Regarding the two downloaded scripts, both are obfuscated using homebrew encoding that consists of base64 repeated 5 times (we will never, ever, tire of responding to such design choices with “known to be 5 times as secure as vanilla base64”):
After deciphering these strings for each script we obtain two different types of Meterpreter samples.
This code consists of an in-memory loader developed in Python, which will load and run a normal Meterpreter sample in DLL format that uses “tcp://systemwin.linkpc[.]net:443” as a C2 server.
Python has a built-in PRNG, and in principle no one is stopping you from constructing a stream cipher based on it, which is what the malware authors do here. The embedded DLL is decrypted using this makeshift “randint stream cipher” with an embedded key (in this construction the key is used as the seed to prime the random library). In the grand tradition of cryptography used inside of malware purely to obfuscate buffers using a hardcoded key, the question of how secure this makeshift cipher is has exactly zero consequences.
The second script basically consists of another sample of Meterpreter — this time a version developed entirely in Python and using the same C2 server. We can only speculate on why the server was configured to drop the same payload with the same C2 server but written in a different language; possibly one of the samples acts as a plan B in case of the other sample gets detected by some antivirus solution and removed.
Blind Eagle is a strange bird among APT groups. Judging by its toolset and usual operations, it is clearly more interested in cybercrime and monetary gain than in espionage; however, unlike most such groups that just attack the entire world indiscriminately, Blind Eagle has a very narrow geographical focus, most of the time limited to a single country. This latest campaign targeting Ecuador highlights how, over the last few years, Blind Eagle has matured as a threat — refining their tools, adding features to leaked code bases, and experimenting with elaborate infection chains and “Living off the Land” as seen with the clever abuse of mshta. If what we’ve seen is any indication, this group is worth keeping an eye on so that victims aren’t blindsided by whatever clever thing they try next.
Check Point’s anti-phishing solutions for office 365 & G suite analyzes all historical emails in order to determine prior trust relations between the sender and receiver, increasing the likelihood of identifying user impersonation or fraudulent messages. Artificial Intelligence (AI) and Indicators of Compromise (IoCs) used in the past train the Harmony Email & Office platform for what to look for in complex zero-day phishing attacks.