{"id":1488,"date":"2024-09-24T09:22:56","date_gmt":"2024-09-24T09:22:56","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1488"},"modified":"2025-07-29T07:22:01","modified_gmt":"2025-07-29T07:22:01","slug":"analysis-of-blind-eagle-campaign","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/analysis-of-blind-eagle-campaign\/","title":{"rendered":"Analysis of Blind Eagle Campaign"},"content":{"rendered":"\n
\"\"\/<\/figure>\n\n\n\n

Blind Eagle, also known as APT-C36, has launched a new campaign in Colombia that targets numerous industries. Check Point Research has revealed insights into this adversary’s techniques, which include the use of Meterpreter payloads supplied via targeted spear-phishing emails.<\/p>\n\n\n\n

The campaign explicitly targets industries such as healthcare, finance, law enforcement, immigration, and a Colombian peacekeeping organization. The attackers have been seen impersonating the National Directorate of Taxes and Customs (DIAN), a Colombian government tax body, and phishing victims by asking them to clear supposed “outstanding obligations.”<\/p>\n\n\n\n

Custom malware, social engineering tactics, and spear-phishing attacks are all routinely used by the APT-C36 threat group during their campaigns. This threat group has also been observed leveraging exploits for zero-day vulnerabilities in their attacks, according to LMNTRIX. <\/p>\n\n\n\n

We will look at Blind Eagle’s multi-stage attack method and present indicators of compromise (IoCs) that can be used to identify and protect against the group’s attacks in this LMNTRIX Lab article.<\/p>\n\n\n\n

Static Analysis of Blind Eagle Sample:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

According to a recent analysis by LMNTRIX CDC, a spam operation delivering spear-phishing emails to South American enterprises, Blind Eagle has retooled its strategies to include a wide range of inexpensive remote access trojans (RATs) and geolocation filtering to evade detection.<\/p>\n\n\n\n

Strings Dumped from EXE sample<\/strong>,<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Language Used: Visual Basic \/ VB .NET<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Javascript Stager Shellcode leading to PowerShell execution,<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Snippets from VBS Source Code \u2013 Office Shared Computer Activation<\/strong>,<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Base64 Encoding and String Concatenation for PowerShell code,<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Next Stage \u2013 PowerShell Code Execution through MSHTA<\/strong>,<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Powershell code either leads to one of these RAT holes<\/strong> \u2013 Whether it\u2019s Async RAT, NJRAT, or Lime RAT infection depends on which code is downloaded (and executed) on the victim\u2019s machine,<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Representative Image \u2013 Lime RAT (GUI) & Powershell command being executed,<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Dynamic Analysis of Blind Eagle sample:<\/strong><\/p>\n\n\n\n

Infection Chain:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Sample Information:<\/strong><\/p>\n\n\n\n

Threat Name:<\/strong> NjRAT | Classification:<\/strong> Backdoor \/ Remote Access Trojan<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Technical Analysis of VBScript Staged Shellcode:<\/strong><\/p>\n\n\n\n

VBScript, also known as Visual Basic Scripting Edition, is a scripting language developed by Microsoft. It is a lightweight language based on Visual Basic and is primarily utilized for scripting purposes in Windows operating systems.<\/p>\n\n\n\n

VBScript finds its application in a variety of scenarios. It is commonly embedded within web pages and executed on the client-side by web browsers that support ActiveX scripting. Additionally, VBScript is used for system administration tasks, automating repetitive processes, and developing basic desktop applications.<\/p>\n\n\n\n

We will analyze the malicious VBS sample, which is typically distributed through spam phishing emails as part of the campaign’s standard procedure.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Main Content – VBScript<\/strong><\/p>\n\n\n\n

At the start of the file, there are dotted lines indicating an unusual VBS file structure. Let’s take a brief overview of the VBS file structure.<\/p>\n\n\n\n

The structure of a VBScript (VBS) file typically follows a straightforward format, as outlined below:<\/p>\n\n\n\n

    \n
  • Declarations: <\/strong>This section includes necessary declarations and directives for the script, such as specifying the script language or including external files.<\/li>\n\n\n\n
  • Constants and Variables: <\/strong>Here, you define constants and variables that will be utilized throughout the script. Variables can be declared using the “Dim” keyword.<\/li>\n\n\n\n
  • Procedures: <\/strong>VBScript heavily relies on procedures, which are blocks of code that perform specific tasks. Procedures can be in the form of functions or subroutines. Functions return a value, while subroutines do not.<\/li>\n\n\n\n
  • Main Code: <\/strong>This section contains the primary body of the script, where the actual execution occurs. It comprises a sequence of statements, including conditionals (If-Then-Else), loops (For, While), and other instructions to accomplish specific actions.<\/li>\n\n\n\n
  • Event Handlers (Optional): <\/strong>In some cases, VBScript may include event handlers to respond to specific events, such as button clicks or form submissions.<\/li>\n<\/ul>\n\n\n\n

    In recent instances of VBS malware distribution, there has been a departure from the typical structured format. Instead, attackers employ techniques such as embedding additional files or obfuscating the script by using random variables.<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    Embedded Content<\/strong><\/p>\n\n\n\n

    This can be achieved by utilizing techniques like file concatenation or base64 encoding. The embedded file may contain malicious payloads or additional scripts that are executed during the VBS code execution.<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    VB Execution command<\/strong><\/p>\n\n\n\n

    Upon execution, the VBScript initiates a process where it drops additional files referred to as “children files.” These files can have either a .txt extension or be heavily obfuscated .JS (JavaScript) files. The VBScript achieves this by utilizing PowerShell commands in conjunction with the Regasm.exe tool. This technique allows the malicious script to create and deploy these files, potentially containing further malicious payloads or complex obfuscated code, thereby expanding the scope and impact of the attack.<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    Hardcoded PowerShell Command:<\/strong><\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    Initial – Indicator of Compromise for Blind Eagle sample:<\/strong><\/p>\n\n\n\n

    The VBScript contains embedded URLs that are known to be blacklisted by the majority of Security AV (Antivirus) Vendors. These URLs are typically associated with malicious websites or servers that are known to distribute malware, engage in phishing attempts, or host other harmful content.<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    a) 1963.txt<\/strong><\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    b) minhacasa.tv<\/strong><\/p>\n\n\n\n

    Interesting File Names:<\/strong><\/p>\n\n\n\n

    {{<\/strong><\/p>\n\n\n\n

    NJ0000000000000000032542023(.)vbs<\/p>\n\n\n\n

    1963(.)txt<\/p>\n\n\n\n

    js<\/p>\n\n\n\n

    39b268f72696e1c7ced14f2326d0e092(.)virus<\/p>\n\n\n\n

    }}<\/strong><\/p>\n\n\n\n

    How to Thwart Blind Eagle & Similar Attacks<\/strong><\/p>\n\n\n\n

    Enhancing your cybersecurity posture involves a multi-faceted approach that safeguards your digital realm from various threats. One pivotal strategy is the adept utilization of email filters. These filters act as vigilant gatekeepers, diligently sifting through incoming messages to identify and thwart phishing attempts, ensuring that malicious emails never infiltrate your inbox.<\/p>\n\n\n\n

    Equally paramount is the conscious maintenance of software updates. Regularly hardening your system with the latest security patches will add an effective barricade against potential malware attacks. By shoring up against known vulnerabilities, you proactively hinder the exploitation of your system’s weaker points.<\/p>\n\n\n\n

    Employing dedicated Endpoint Detection & Response software constitutes another pivotal defense layer. This specialized software diligently scans your device, actively seeking out and neutralizing any emerging malware from the wild.<\/p>\n\n\n\n

    Prudent cybersecurity also involves limiting administrative privileges. By bestowing elevated access only upon those with genuine need, you mitigate the risk of privilege escalation attacks, a crucial maneuver in safeguarding your digital assets.<\/p>\n\n\n\n

    The tactic of network segmentation further bolsters your defenses. By segregating segments of your network into different zones, you inhibit lateral movement of potential attackers, thereby rendering it considerably more formidable for potential attackers to breach your critical systems. The concept of proactive monitoring emerges as a final linchpin in your cybersecurity strategy. Remaining vigilant for any anomalous activities within your network empowers you to detect and thwart potential attacks before they unleash significant harm & damage to your organization.<\/p>\n\n\n\n

    Indicators of Compromise for Blind Eagle,<\/strong><\/p>\n\n\n\n

    File Indicators<\/strong><\/p>\n\n\n\n

    8e864940a97206705b29e645a2c2402c2192858357205213567838443572f564<\/p>\n\n\n\n

    2702ea04dcbbbc3341eeffb494b692e15a50fbd264b1d676b56242aae3dd9001<\/p>\n\n\n\n

    f80eb2fcefb648f5449c618e83c4261f977b18b979aacac2b318a47e99c19f64<\/p>\n\n\n\n

    68af317ffde8639edf2562481912161cf398f0edba6e06745d90c1359554c76e<\/p>\n\n\n\n

    61685ea4dc4ca4d01e0513d5e23ee04fc9758d6b189325b34d5b16da254cc9f4<\/p>\n\n\n\n

    <\/p>\n\n\n\n

    hxxps:\/\/www.mediafire[.]com\/file\/cfnw8rwufptk5jz\/migracioncolombiaprocesopendienteid2036521045875referenciawwwmigraciongovco.LHA\/file<\/p>\n\n\n\n

    <\/p>\n\n\n\n

    Domain IOC<\/strong><\/p>\n\n\n\n

    hxxps:\/\/gtly[.]to\/QvlFV_zgh<\/p>\n\n\n\n

    hxxps:\/\/gtly[.]to\/cuOv3gNDi<\/p>\n\n\n\n

    hxxps:\/\/gtly[.]to\/dGBeBqd8z<\/p>\n\n\n\n

    <\/p>\n\n\n\n

    C2 Servers<\/strong><\/p>\n\n\n\n

    laminascol[.]linkpc[.]net       <\/p>\n\n\n\n

    systemwin[.]linkpc[.]net       <\/p>\n\n\n\n

    upxsystems[.]com     <\/p>\n\n\n\n

    <\/p>\n\n\n\n

    Shellcode<\/strong><\/p>\n\n\n\n

    c63d15fe69a76186e4049960337d8c04c6230e4c2d3d3164d3531674f5f74cdf<\/p>\n\n\n\n

    353406209dea860decac0363d590096e2a8717dd37d6b4d8b0272b02ad82472e  <\/p>\n\n\n\n

    a03259900d4b095d7494944c50d24115c99c54f3c930bea08a43a8f0a1da5a2e<\/p>\n\n\n\n

    46addee80c4c882b8a6903cced9b6c0130ec327ae8a59c5946bb954ccea64a12<\/p>\n\n\n\n

    c067869ac346d007a17e2e91c1e04ca0f980e8e9c4fd5c7baa0cb0cc2398fe59<\/p>\n\n\n\n

    10fd1b81c5774c1cc6c00cc06b3ed181b2d78191c58b8e9b54fa302e4990b13d      <\/p>\n\n\n\n

    c4ff3fb6a02ca0e51464b1ba161c0a7387b405c78ead528a645d08ad3e696b12 ac1ea54f35fe9107af1aef370e4de4dc504c8523ddaae10d95beae5a3bf67716<\/p>\n\n\n\n

    <\/p>\n\n\n\n

    MITRE ATT&CK Tactics & Techniques for Blind Eagle,<\/strong><\/p>\n\n\n\n

    ID<\/strong><\/td>Tactic<\/strong><\/td>Technique<\/strong><\/td><\/tr>
    TA0001<\/td>Initial Access<\/td>Spam Email Phishing Attachment<\/td><\/tr>
    TA0002<\/td>Execution<\/td>Windows Scripting – VBS<\/td><\/tr>
    TA0003<\/td>Persistence<\/td>Modify Registry Log-on Initialization Scripts<\/td><\/tr>
    TA0004<\/td>Privilege Escalation<\/td>Scheduled Task \/ Job DLL Side Loading<\/td><\/tr>
    TA0005<\/td>Defense Evasion<\/td>Virtualization and Sandbox Evasion Technique Obfuscated file or Information Process Injection<\/td><\/tr>
    TA0006<\/td>Credential Access<\/td>OS Credential Dumping LSASS Memory Input Capture<\/td><\/tr>
    TA0007 TA0008<\/td>Discovery Lateral Movement<\/td>System Software Discovery Process Discovery File and Directory Discovery Query Registry Security Software Discovery Remote file copy<\/td><\/tr>
    TA0009 TA0011<\/td>Collection C&C Server<\/td>Credential API Hooking Archive Collected Data Data from Local System Ingress Tool Transfer Encrypted Channels Web Protocols – Standard Application Layer Protocol Non – Application Layer Protocol<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"

    Blind Eagle, also known as APT-C36, has launched a new campaign in Colombia that targets numerous industries. Check Point Research has revealed insights into this adversary’s techniques, which include the use of Meterpreter payloads supplied via targeted spear-phishing emails. The campaign explicitly targets industries such as healthcare, finance, law enforcement, immigration, and a Colombian peacekeeping […]<\/p>\n","protected":false},"author":1,"featured_media":3845,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1488","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1488","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1488"}],"version-history":[{"count":6,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1488\/revisions"}],"predecessor-version":[{"id":4408,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1488\/revisions\/4408"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/3845"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1488"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1488"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}