This emulation was created for the 2023 BlackHat presentation 🎩 , Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations. This presentation focused how to combine CTI and red development team capabilities for adversary emulation.

The ATT&CK Evaluation team created the below scenario leveraging techniques seen from Blind Eagle in the wild based on open-source reporting. We have adapted the scenario based on tools and resources available at the time. This emulation was researched, developed, and presented with one Windows SME Red Team developer, one CTI Analyst, and one Technical lead in 2 months while working on other work 50% of their time. Our goal was to provide a simpler emulation example when faced with limited resources. Therefore, this emulation is less complicated than other emulations represented in the ATTACK Evaluations Library.

This page contains a high-level overview of our Blind Eagle scenario and related diagram, as well as the full 5-step plan created by our CTI analyst.

# Emulation Scenario 📖

This scenario follows Blind Eagle's cyberattack against a Colombian target. Blind Eagle will gain initial access via user execution of a link in a file sent via spearphishing. Once execution is obtained and persistence installed, Blind Eagle downloads and executes the AsyncRAT for additional actions on objective. Characteristics of this campaign include social engineering, open-source modified RATs, exploitation of a single workstation, and theft of browser credentials.

Software Flow Diagram
Software Flow Diagram

# Scenario Steps👣

Steps User Story Software Reporting
Step 0 - Initial Compromise Blind Eagle gains an initial foothold into the victim’s system via spearphishing (T1566.001). The attackers send an email containing a password-protected PDF, and the password is provided in the email’s content. The sender address spoofs the Colombian National Directorate of Taxes and Customs (DIAN), a legitimate Colombian government agency. Browser-based Outlook instance

Adobe Acrobat
BlackBerry - Feb 2023

Check Point Research - Jan 2023

QiAnXin Threat Intelligence Center - Feb 2019

Lab 52 - 2020

TrendMicro - Sept 2021

SCILabs MX - June 2022
Step 1 - Execution The non-admin user will enter the password to open the PDF, which contains a fake notification from DIAN regarding outstanding tax payments owed by the user. The document prompts the user to click a link (T1566.002, T1204.001). This link will download a second item, which is a password protected RAR archive - "factura-228447578537.pdf.uue" - that utilizes double file extensions (masquerades as a PDF but really is a UUE) (T1036.007). The site will download the AsyncRAT payload from a Discord CDN (T1102). The user will double click the file, which prompts the execution of VBS script ("factura-22844758537.pdf.vbs") via wscript.exe and trigger the persistence mechanism (T1204.002, T1059.005). AsyncRAT

PowerShell

Visual Basic

WinRAR
BlackBerry - Feb 2023

Check Point Research - Jan 2023

Lab 52 - 2020

TrendMicro - Sept 2021

SCILabs MX - Jul 2022

ThreatMon - Apr 2023

Lab 52 - Mar 2023
Step 2 - Infection Once the user manually executes the VBScript, a series of automatic actions will occur. Specifically, the VBScript will use Powershell to download fiber.dll, which is encoded via Base64 (T1059.001, T1132.001). The fiber.dll will run the VAI method with an obfuscated URL that resolves to a file named "asy.txt," which is the AsyncRAT obfuscated payload ([T1132.001, T1027). Next, fiber.dll will download fsociety.dll (disguised under filename "Rump.xls"), which is again encoded via Base64 (T1132.001), T1036.008). Next, the adversary will use fiber.dll and PowerShell (T1059.001) to deobfuscate the URL that resolves to the .txt file, and then downloads and executes the decoded Fsociety.dll (T1140). AsyncRAT will masquerade as the legitimate RegSvcs.exe process via process hollowing (T1055.012, T1218.009). AsyncRAT

Powershell

Visual Basic

RegSvcs.exe

Fsociety.dll

fiber.dll
BlackBerry - Feb 2023

DCiber - Jun 2022

Lab 52 - Mar 2023

EcuCERT - 2022

GitHub - AsyncRAT
Step 3 - Command and Control Once the AsyncRAT payload is decrypted (T1132.001, T1140), it shows that the C2 infrastructure is hosted on a site using Duck DNS services and leverages communications over port 1523 (T1568, T1571). The payload will communicate with the C2 via RSA (SHA512) (T1573.002). AsyncRAT BlackBerry - Feb 2023

Lab 52 - 2020

SCILabs MX - Jul 2022

Lab 52 - Mar 2023

GitHub - AsyncRAT
Step 4 - Establish Persistence & Privilege Escalation Next, Blind Eagle will look to establish persistence on the host device. Given that the user is non-admin, the attackers use fiber.dll to leverage Windows Script Host to copy the VBS loader to Windows Temp folder (T1570). The attackers also use fiber.dll to create a .lnk file in the user's startup folder (T1547.001, T1059.003). AsyncRAT BlackBerry - Feb 2023

ThreatMon - Apr 2023

DCiber - Jun 2022

SCILabs MX - Jul 2022

GitHub - AsyncRAT

Secure Soft - Apr 2023
Step 5 - Credential Access Blind Eagle will then utilize AsyncRAT to conduct keylogging and steal information from the victim’s web browser (T1056.001). Specifically, the malware will be used to steal browser credentials (T1555.003). Finally, the attackers will navigate to the victim's online banking portal and use the previously keylogged credentials to gain admin access to the site (T1056.001). AsyncRAT

Edge browser
GitHub - AsyncRAT

DCiber - Jun 2022

QiAnXin Threat Intelligence Center - Feb 2019

DCiber - Mar 2023

Check Point Research - Jan 2023

SCILabs MX - Jul 2022