.jpg "Malware loader")
The threat actor known as Blind Eagle was observed using a malware loader called Ande Loader to deliver remote access trojans (RATs) such as Remcos RAT and NjRAT.
The attacks, which take the form of phishing emails, targeted Spanish-speaking users in the North American-based manufacturing industry, eSentire said.
Blind Eagle (also known as APT-C-36) is a financially motivated threat actor that has a history of orchestrating cyberattacks against entities in Colombia and Ecuador to deliver an assortment of RATs, including AsyncRAT, BitRAT, Lime RAT, NjRAT, Remcos RAT, and Quasar RAT.
The latest results highlight an expansion of the attackers’ reach, while exploiting phishing with RAR and BZ2 archives to activate the infection chain.
Password-protected RAR archives come with a malicious Visual Basic Script (VBScript) file that is responsible for establishing persistence in the Windows Startup folder and launching Ande Loader, which, in turn, loads the Remcos RAT payload.
In an alternative attack sequence observed by the Canadian cybersecurity firm, a BZ2 archive containing a VBScript file is distributed via a Discord Content Delivery Network (CDN) link. The Ande Loader malware, in this case, drops NjRAT instead of Remcos RAT.
“Blind Eagle threat actors used crypters written by Roda and Pjoao1578,” eSentire said. “One of the crypters developed by Roda has a hardcoded server that hosts both the crypter injector components and additional malware used in the Blind Eagle campaign.”
The development comes as SonicWall shed light on the inner workings of another malware family called DBatLoader, detailing its use of a legitimate but vulnerable driver associated with RogueKiller AntiMalware software (truesight.sys) to terminate solutions security as part of a Bring Your Own Vulnerable Driver (BYOVD) Attack and finally deliver Remcos RAT.
“The malware is received within an archive as an email attachment and is highly obfuscated and contains multiple layers of encrypted data,” the company noted earlier this month.