APT-C-36, also known as Blind Eagle, is believed to be a South American espionage group that has been operational since 2018. The group's targets include government institutions in South America (primarily Colombia), as well as significant corporations in the financial, petroleum, and professional manufacturing sectors. Their primary mode of initial payload delivery has consistently been the "government maneuver" type of phishing emails. APT-C-36 has been known for their extensive and intricate use of Remote Access Trojans (RATs) to achieve their actions on objectives. Over a period of time, the malicious actor shifts from using RAT to another.
In an ongoing phishing campaign used to deliver QuasarRAT, APT-C-36 has been targeting victims in Colombia. These emails masquerade as being from Colombian government bodies such as the Ministry of Foreign Affairs or the Ministry of Transport.
Infection Flow Chart
The infection starts with the victim receiving an email from the Colombian Ministry of Transport stating that there has been a speed limit violation for which they have been summoned to a virtual court and for more information, a copy of the court appearance notice has been attached.
The malicious file COMPARENDO24755693025.pdf contains a URL shortener service link from Geo Targetly which route visitors based on their location to region-specific domains. If the request originates from Colombia, the server redirects the client to MediaFire, which hosts the malware. If the request originates from any other location than Colombia, the server redirects the client to the Official National Transit Registry website.
The file hosted on MediaFire is a compressed LHA password protected archive that contains the APT-C-36 customized Quasar RAT Payload, which is a packed .NET windows executable. The password to extract the LHA archive is mentioned both in the phishing email & in the pdf attachment.
Upon execution of the payload, the development starts with achieving persistence in the victim host by adding itself to the startup folder with a run key & creating scheduled task. This is followed by the deletion of all the volume shadow copies on the system to disrupt system recovery in the case of corruption and to disrupt evidence recovery in the case of forensic analysis.
Moving on to evade detection, the malicious executable disables the Windows Defender Antivirus Service and tampers its real-time protection, and other key features, by modifying the registry. It also tries to elevate process privileges by bypassing User Account Control (UAC).
Furthermore, in a rather artless and uncomplicated manner, it initiates a sleep sequence to evade sandbox detection, by dropping a .bat script in the AppData Local directory which is executed by cmd.exe to run chcp 65001 && ping -n 10 localhost
The payload creates a duplicate of itself that launches from the AppData Local/Roaming directory and performs the same operations, once again, just as the original executable, detailed above. Following this it establishes DNS communication with its C2 server.
We also see network events to a pastebin url which contains following gibberish data.
APT-C-36 has been previously identified to download its next stage malware from text-only services like pastebin, which gives the bad actor the advantage of changing the code on the fly. In the absence of a decryption key, we are unable to decrypt the data to obtain the next payload, but as per available information, the adversary loads the malware into memory, without writing it to the disk and carries on its primary objective to intercept victim’s access to their bank accounts.
After analyzing samples from various sources and referring to research articles, following are existing NetWitness Detections that aid in identifying not just APT-C-36’s malicious activity, but other adversaries as well that might employ similar techniques.
Application Rules (Endpoint):
- boc = host traffic to external ip checker (Packet, Endpoint)
- boc = creates local task
- boc = creates run key
- boc = modifies run key
- boc = deletes shadow volume copies
- boc = runs tasks management tool
- boc = runkey persistence
- boc = unsigned writes executable to appdatalocal directory
- boc = unsigned writes executable to appdataroaming directory
- boc = outbound from unsigned appdata directory
- boc = quasarrat sleep sequence using ping utility
In addition to the existing content, we have also created new rules to better detect host and network activity related to APT-C-36. All of the following are currently available from NetWitness Live:
- APT-C-36 Persistence via Scheduled Task (App Rule - Endpoint)
- APT-C-36 Persistence via Run Key (App Rule - Endpoint)
- APT-C-36 Drops Batch Script (App Rule - Endpoint)
- APT-C-36 Host Traffic to PasteBin (App Rule - Endpoint)
- APT-C-36 Sandbox Evasion Detected (ESA Rule - Endpoint)
- APT-C-36 C2 Communication (App Rule - Endpoint)
- [Community] APT-C-36 YARA Rules
MITRE ATT&CK Techniques
- T1016.001 - Internet Connection Discovery
- T1053.005 - Scheduled Task
- T1547.001 - Registry Run Keys / Startup Folder
- T1490 - Inhibit System Recovery
- T1204.002 - Malicious File
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link
- T1497.003 - Time Based Evasion
- T1588.002 - Tool
- T1027 - Obfuscated Files or Information
- T1027.002 - Software Packing
- T1105 - Ingress Tool Transfer
- T1071 - Application Layer Protocol
- T1102 - Web Service
Since its emergence, APT-C-36 appears to have become more efficient at propagating malware while avoiding detection by illegitimate use of known web services and publicly available tooling capabilities. Although the group doesn’t seem to be targeting as many different countries or political institutions when compared to other espionage groups, their recent activity hits suggest they might broaden their victim base in the near future.
Resources mentioned in this blog post will be helpful to effectively monitor, detect & further respond using the NetWitness Platform XDR.
Indicators of Compromise (IOCs)