The cyber espionage actor followed as blind eagle has been linked to a new multi-stage attack chain leading to the deployment of the NjRAT remote access trojan on compromised systems.
“The group is known for using a variety of sophisticated attack techniques, including custom malware, social engineering tactics and spear phishing attacks,” ThreatMon said in a report on Tuesday.
Blind Eagle, also known as APT-C-36, is an alleged Spanish-speaking group that primarily attacks public and private sector entities in Colombia. Attacks orchestrated by the group have also targeted Ecuador, Chile and Spain.
Infection chains documented by Check Point and BlackBerry this year have revealed the use of phishing baits to deliver malware families such as BitRAT and AsyncRAT, as well as in-memory Python loaders capable of launching a Meterpreter payload .
ThreatMon’s latest discovery involves using a JavaScript unloader to run a PowerShell script hosted on the Discord CDN. The script, in turn, drops another PowerShell script and a Windows batch file, and saves a VBScript file to the Windows startup folder to achieve persistence.
The VBScript code is then executed to launch the batch file, which is then deobfuscated to run the PowerShell script that was previously delivered along with it. In the final stage, the PowerShell script is used to run njRAT.
“njRAT, also known as Bladabindi, is a user-interfaced remote access tool (RAT) or trojan that allows the owner of the program to control the end-user’s computer,” the cybersecurity firm said.
Source link
Blind Eagle Cyber Espionage Group, one of the most powerful and advanced cyber espionage groups in the world, has struck again, attacking a wide range of targets.
The latest attack, uncovered by security researchers from Ikaroa, used a complex attack chain that compromised hundreds of devices across the globe. The attack, which began on April 4th, is believed to have originated from China’s Guangdong province, but the Blind Eagle group is believed to be based in North Korea.
The attack chain started with phishing emails containing malicious attachments. The initial payload was designed to create a backdoor on the target system, which allowed the threat actors to gain access to the device. They were then able to spread further across the network, enabling them to steal information and data as well as perform other malicious activities.
Once inside a targeted system, the group used an array of tools and techniques to exfiltrate sensitive data, including keylogging, remote control, and custom malware.
The group’s use of malicious payloads and sophisticated attack techniques, as well as their global reach and access to multiple networks, has made them a particularly dangerous threat.
Ikaroa’s mission is to help protect organizations, critical infrastructure, and individuals from cyberattacks and cyber espionage. To accomplish this, our security researchers are constantly monitoring the cyber landscape, identifying emerging threats and developing solutions to protect against them.
In this case, we detected the activity of the Blind Eagle group early and were able to identify the attack chain and trace its origin. We are continuing to monitor the situation and remain vigilant in our efforts to protect our customers from similar incidents.
