.jpg "Malware loader")
A threat actor named Blind Eagle was observed using loader malware called Ande Loader to spread remote access Trojans (RATs) such as Remcos RAT and NjRAT.
eSentire said the attacks took the form of phishing emails targeting Spanish-speaking users in the North American manufacturing industry.
Blind Eagle (also known as APT-C-36) is a financially motivated threat actor that has orchestrated cyberattacks against entities in Colombia and Ecuador to deliver various RATs, including AsyncRAT, BitRAT, Lime RAT, NjRAT , Remcos RAT, and Quasar RAT.
The latest findings mark an expansion of the threat actor’s target footprint, also leveraging phishing with RAR and BZ2 archives to activate infection chains.
The password-protected RAR archive is accompanied by a malicious Visual Basic Script (VBScript) file, which is responsible for establishing persistence in the Windows startup folder and launching the Ande Loader, which in turn loads the Remcos RAT payload.
In another attack sequence observed by a Canadian cybersecurity firm, BZ2 files containing VBScript files were distributed via Discord content delivery network (CDN) links. In this case, the Ande Loader malware deletes NjRAT instead of Remcos RAT.
“Blind Eagle threat actors have been using ciphers written by Roda and Pjoao1578,” eSentire said. “One of the ciphers developed by Roda has a hardcoded server, an injector component that hosts the cipher, and a cipher used in the Blind Eagle campaign. Other malware.”
This development comes as SonicWall reveals the inner workings of another loader malware family called DBatLoader, detailing its use of a legitimate but vulnerable driver related to the RogueKiller AntiMalware software (truesight.sys). Terminate security software as part of Bring Your Your Own. Own Vulnerability Driver (BYOVD) attack and ultimately deliver Remcos RAT.
“The malware was received as an email attachment in a file and was highly obfuscated and contained multiple layers of encrypted material,” the company said earlier this month.
