A loader malware application called Ande Loader was utilized by the threat actor identified as Blind Eagle to distribute remote access trojans (RATs) such as Remcos RAT and NjRAT.

eSentire reported that the attacks, which take the form of fraudulent emails, targeted Spanish-speaking users in the North American manufacturing industry.

A massive cyberattack impacts 43 million employees in France.

Financially motivated threat actor Blind Eagle (also known as APT-C-36) has a track record of orchestrating cyber assaults against organizations in Ecuador and Colombia in order to distribute a variety of RATs, such as AsyncRAT, BitRAT, Lime RAT, NjRAT, Remcos RAT, and Quasar RAT.

The most recent discoveries indicate that the threat actor has broadened its scope of attack, in addition to utilizing phishing attacks that utilize RAR and BZ2 archives to initiate the infection chain.

The password-protected RAR archives contain a malevolent Visual Basic Script (VBScript) file. This file initiates the Ande Loader, which extracts the Remcos RAT payload, and establishes persistence in the Windows Startup subdirectory.

A Canadian cybersecurity firm has identified an alternative attack sequence in which a VBScript file is concealed within a BZ2 archive that is distributed through a Discord content delivery network (CDN) link. In this instance, the Ande Loader malware distributes NjRAT rather than Remcos RAT.

“Blind Eagle threat actor(s) have been using crypters written by Roda and Pjoao1578,” eSentire reported. “One of the crypters developed by Roda has the hardcoded server hosting both injector components of the crypter and additional malware that was used in the Blind Eagle campaign.”

A Canadian court orders a LockBit ransomware hacker to pay $860,000 following a guilty plea.

This development coincides with SonicWall’s disclosure of DBatLoader, a loader malware family, which exposed its utilization of a legitimate-yet-vulnerable driver linked to RogueKiller AntiMalware software (truesight.sys) in order to compromise security solutions during a Bring Your Own Vulnerable Driver (BYOVD) assault and ultimately distribute Remcos RAT.

The organization announced earlier this month, “The malware is received as an email attachment within an archive and is highly obfuscated, containing multiple layers of encryption data.”

source