.jpg)
March 14, 2024 at 04:21AM
Blind Eagle threat actor employs Ande Loader to distribute RATs, targeting Spanish-speaking users in the North American manufacturing industry through phishing emails. This expansion includes leveraging RAR and BZ2 archives to activate the infection chain. Additionally, an alternative attack sequence via Discord CDN link distributes NjRAT. Crypters written by Roda and Pjoao1578 have been utilized.
Key Takeaways from Meeting Notes:
– Threat actor Blind Eagle has been using Ande Loader malware to deliver remote access trojans (RATs) like Remcos RAT and NjRAT.
– The attacks targeted Spanish-speaking users in the manufacturing industry in North America via phishing emails.
– Blind Eagle is a financially motivated threat actor known for orchestrating cyber attacks against entities in Colombia and Ecuador.
– They leverage phishing with RAR and BZ2 archives to activate the infection chain and use crypters written by Roda and Pjoao1578.
– An alternative attack sequence involves distributing a BZ2 archive via a Discord content delivery network (CDN) link.
– SonicWall shed light on the DBatLoader malware family, which uses a vulnerable driver to terminate security software and deliver Remcos RAT.
– The malware is highly obfuscated and received inside an archive as an email attachment.