Blind Eagle Cyber Espionage Group Strikes Again – New Attack Chain Uncovered
A novel multi-stage assault chain leading to the installation of the NjRAT remote access trojan on compromised systems has been connected to the cyber espionage actor known as Blind Eagle.
“The group is known for using a variety of sophisticated attack techniques, including custom malware, social engineering tactics, and spear-phishing attacks,” ThreatMon said in a Tuesday report.
ALSO, READ Chinese Hackers Using New Stealthy Infection Chain to Deploy LODEINFO Malware
Blind Eagle, also referred to as APT-C-36 is a suspected Spanish-speaking group that chiefly strikes private and public sector entities in Colombian. Attacks orchestrated by the group have also targeted Ecuador, Chile, and Spain.
Infection chains documented by Check Point and BlackBerry this year have revealed the use of spear-phishing lures to deliver commodity malware families like BitRAT, AsyncRAT, and in-memory Python loaders capable of launching a Meterpreter payload.
ALSO, READ December 2022 Patch Tuesday: Get Latest Security Updates from Microsoft & More
Blind Eagle Cyber Espionage Group Strikes Again – New Attack Chain Uncovered
The latest discovery from ThreatMon entails the use of a JavaScript downloader to execute a PowerShell script hosted in Discord CDN. The script, in turn, drops another PowerShell script and a Windows batch file, and saves a VBScript file in the Windows startup folder to achieve persistence.
ALSO, READ Shein’s Android App Caught Transmitting Clipboard Data to Remote Servers
The VBScript code is then run to launch the batch file, which is subsequently deobfuscated to run the PowerShell script that was previously delivered along with it. In the final stage, the PowerShell script is used to execute njRAT.
“njRAT, also known as Bladabindi is a remote access tool (RAT) with user interface or trojan which allows the holder of the program to control the end-user’s computer,” the cybersecurity firm said.
Be First to Comment