This emulation was created for the 2023 BlackHat presentation 🎩 , Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations. This presentation focused how to combine CTI and red development team capabilities for adversary emulation.
The ATT&CK Evaluation team created the below scenario leveraging techniques seen from Blind Eagle in the wild based on open-source reporting. We have adapted the scenario based on tools and resources available at the time. This emulation was researched, developed, and presented with one Windows SME Red Team developer, one CTI Analyst, and one Technical lead in 2 months while working on other work 50% of their time. Our goal was to provide a simpler emulation example when faced with limited resources. Therefore, this emulation is less complicated than other emulations represented in the Adversary Emulation Library.
This page contains a high-level overview of our Blind Eagle scenario and related diagram, as well as the full 5-step plan created by our CTI analyst.
This scenario follows Blind Eagle's cyberattack against a Colombian target. Blind Eagle will gain initial access via user execution of a link in a file sent via spearphishing. Once execution is obtained and persistence installed, Blind Eagle downloads and executes the AsyncRAT for additional actions on objective. Characteristics of this campaign include social engineering, open-source modified RATs, exploitation of a single workstation, and theft of browser credentials.
| Steps | User Story | Software | Reporting |
|---|---|---|---|
| Step 0 - Initial Compromise | Blind Eagle gains an initial foothold into the victim’s system via spearphishing (T1566.001). The attackers send an email containing a password-protected PDF, and the password is provided in the email’s content. The sender address spoofs the Colombian National Directorate of Taxes and Customs (DIAN), a legitimate Colombian government agency. | Browser-based Outlook instance Adobe Acrobat |
BlackBerry - Feb 2023 Check Point Research - Jan 2023 QiAnXin Threat Intelligence Center - Feb 2019 Lab 52 - 2020 TrendMicro - Sept 2021 SCILabs MX - June 2022 |
| Step 1 - Execution | The non-admin user will enter the password to open the PDF, which contains a fake notification from DIAN regarding outstanding tax payments owed by the user. The document prompts the user to click a link (T1566.002, T1204.001). This link will download a second item, which is a password protected RAR archive - "factura-228447578537.pdf.uue" - that utilizes double file extensions (masquerades as a PDF but really is a UUE) (T1036.007). The site will download the AsyncRAT payload from a Discord CDN (T1102). The user will double click the file, which prompts the execution of VBS script ("factura-22844758537.pdf.vbs") via wscript.exe and trigger the persistence mechanism (T1204.002, T1059.005). | AsyncRAT PowerShell Visual Basic WinRAR |
BlackBerry - Feb 2023 Check Point Research - Jan 2023 Lab 52 - 2020 TrendMicro - Sept 2021 SCILabs MX - Jul 2022 ThreatMon - Apr 2023 Lab 52 - Mar 2023 |
| Step 2 - Infection | Once the user manually executes the VBScript, a series of automatic actions will occur. Specifically, the VBScript will use Powershell to download fiber.dll, which is encoded via Base64 (T1059.001, T1132.001). The fiber.dll will run the VAI method with an obfuscated URL that resolves to a file named "asy.txt," which is the AsyncRAT obfuscated payload ([T1132.001, T1027). Next, fiber.dll will download fsociety.dll (disguised under filename "Rump.xls"), which is again encoded via Base64 (T1132.001), T1036.008). Next, the adversary will use fiber.dll and PowerShell (T1059.001) to deobfuscate the URL that resolves to the .txt file, and then downloads and executes the decoded Fsociety.dll (T1140). AsyncRAT will masquerade as the legitimate RegSvcs.exe process via process hollowing (T1055.012, T1218.009). | AsyncRAT Powershell Visual Basic RegSvcs.exe Fsociety.dll fiber.dll |
BlackBerry - Feb 2023 DCiber - Jun 2022 Lab 52 - Mar 2023 EcuCERT - 2022 GitHub - AsyncRAT |
| Step 3 - Command and Control | Once the AsyncRAT payload is decrypted (T1132.001, T1140), it shows that the C2 infrastructure is hosted on a site using Duck DNS services and leverages communications over port 1523 (T1568, T1571). The payload will communicate with the C2 via RSA (SHA512) (T1573.002). | AsyncRAT | BlackBerry - Feb 2023 Lab 52 - 2020 SCILabs MX - Jul 2022 Lab 52 - Mar 2023 GitHub - AsyncRAT |
| Step 4 - Establish Persistence & Privilege Escalation | Next, Blind Eagle will look to establish persistence on the host device. Given that the user is non-admin, the attackers use fiber.dll to leverage Windows Script Host to copy the VBS loader to Windows Temp folder (T1570). The attackers also use fiber.dll to create a .lnk file in the user's startup folder (T1547.001, T1059.003). | AsyncRAT | BlackBerry - Feb 2023 ThreatMon - Apr 2023 DCiber - Jun 2022 SCILabs MX - Jul 2022 GitHub - AsyncRAT Secure Soft - Apr 2023 |
| Step 5 - Credential Access | Blind Eagle will then utilize AsyncRAT to conduct keylogging and steal information from the victim’s web browser (T1056.001). Specifically, the malware will be used to steal browser credentials (T1555.003). Finally, the attackers will navigate to the victim's online banking portal and use the previously keylogged credentials to gain admin access to the site (T1056.001). | AsyncRAT Edge browser |
GitHub - AsyncRAT DCiber - Jun 2022 QiAnXin Threat Intelligence Center - Feb 2019 DCiber - Mar 2023 Check Point Research - Jan 2023 SCILabs MX - Jul 2022 |