Go to listing page

Earth Bogle Targets Middle East and North African Orgs With NjRAT

Earth Bogle Targets Middle East and North African Orgs With NjRAT
An active campaign has been observed using Middle Eastern geopolitical-themed lures to spread NjRAT (aka Bladabindi). The attackers are targeting potential victims in North Africa and the Middle East.

Earth Bogle: An active campaign

Trend Micro researchers have dubbed the campaign Earth Bogle and disclosed that the campaign is ongoing since at least mid-2022.
  • Earth Bogle uses public cloud storage services such as failiem[.]lv to host malware, though NjRAT is distributed via compromised web servers.
  • The lure documents (CAB files) used in the campaign have very low detection rates on Virus Total, enabling the attackers to stay undetected and spread further.

How is NjRAT delivered

The attackers behind this campaign are using public cloud hosting services to host malicious CAB files. Further, they use geopolitical-themed lures to bait Arabic speakers into opening an infected file.
  • One such lure file is a CAB file pretending to be a sensitive voice call between a member of the Tariq bin Ziyad (TBZ) Militia and a UAE military officer.
  • Opening the infected file infects the victims’ machines with a second-stage dropper (a PowerShell script). 
  • This file further drops the final PowerShell dropper used for loading the NjRAT binary in the memory.

Conclusion

The experts have warned regional organizations to stay vigilant against phishing attacks, specifically emails from unknown sources with sensational topics. Stay alert and scan the contents with anti-malware solutions while opening archive files such as CAB files from public sources. Moreover, organizations are required to train employees for identifying and responding to such threats, at regular intervals.
Cyware Publisher

Publisher

Cyware