Σε μια ανησυχητική εξέλιξη για την ασφάλεια στον κυβερνοχώρο, η ομάδα απειλής γνωστή ως Blind Eagle, also identified as APT-C-36, έχει εντείνει τις κακόβουλες δραστηριότητές της. This financially driven collective has been deploying an advanced malware, dubbed Ande Loader, to infiltrate systems with remote access trojans (RATs) such as Remcos RAT and NjRAT. This tactic marks a significant evolution in their method of operation, primarily affecting Spanish-speaking individuals within the manufacturing sector across North America.
Ande Loader Attacks by Blind Eagle
According to cybersecurity experts at eSentire, this latest spree of attacks leverages phishing emails as its primary vector. These emails, cleverly disguised to deceive recipients, contain password-protected archives in RAR and BZ2 formats. When unsuspectingly opened, these archives release a malicious Visual Basic Script (VBScript) file. This script not only ensures the malware’s persistence by embedding itself within the Windows Startup folder but also initiates the Ande Loader, consequently deploying the RAT payloads.
Blind Eagle’s history of cyber incursions reveals a pattern of attacks targeting entities in Colombia and Ecuador, employing a variety of RATs, συμπεριλαμβανομένου AsyncRAT, BitRAT, Lime RAT, NjRAT, Remcos RAT, and Quasar RAT, to fulfill its financial motives. This latest series of attacks signifies an expansion of the group’s geographic and industrial targeting, posing a heightened threat to the manufacturing industry in North America.
In a notable alternative attack method, eSentire observed the distribution of a VBScript file via a BZ2 archive, this time through a link provided on the Discord content delivery network (CDN). This method diverges by delivering NjRAT instead of Remcos RAT, showcasing the threat actor’s versatility and adaptability in exploiting various digital platforms to conduct its operations.
Ιός επέκτασης Chrome SwiftSeek
Our researchers recently came across SwiftSeek, a browser extension found in an installer promoted by a misleading webpage during a routine check of suspicious sites. Browser hijackers like SwiftSeek change…
Ιός φωνής (.Η φωνή του αρχείου) Ransomware
Ο ιός Hlas είναι ένα νέο μέλος της οικογένειας ransomware STOP/Djvu που στοχεύει υπολογιστές με Windows. Προκαλεί σημαντική αναστάτωση κρυπτογραφώντας αρχεία και προσαρτώντας ένα “.Φωνή” επέκτασή τους…
Further complicating the cybersecurity landscape, eSentire’s investigations reveal that Blind Eagle has utilized crypters developed by individuals known as Roda and Pjoao1578. These crypters, sophisticated in their design, play a crucial role in concealing the malware, with one specific crypter by Roda found to be directly linked to the malware and additional malicious payloads used in Blind Eagle’s campaigns.
In a broader context of cybersecurity threats, SonicWall’s recent insights into another malware family, DBatLoader, highlight the intricate methods employed by cybercriminals. DBatLoader utilizes a legitimate, yet vulnerable driver from RogueKiller AntiMalware software to bypass security solutions in a technique known as Bring Your Own Vulnerable Driver (BYOVD), ultimately facilitating the delivery of Remcos RAT.
Conclusion
This escalation in cyber attacks, characterized by increasingly sophisticated methods and a broader targeting scope, underscores the urgent need for enhanced cybersecurity measures and awareness. Organizations, particularly in the manufacturing sector, are advised to remain vigilant, adopt comprehensive security protocols, and educate their workforce on recognizing and mitigating phishing threats to safeguard against these evolving digital dangers.