Blind Eagle Cyber Espionage Group Strikes Again: New Attack Chain Revealed
Cyber espionage perpetrators are being tracked as Blind Eagle has been linked to a new multi-stage attack chain that leads to the deployment of the NjRAT remote access trojan on compromised systems.
“The group is known for using a variety of sophisticated attack techniques, including custom malware, social engineering tactics, and spear-phishing attacks,” ThreatMon said in Tuesday’s report.
Blind Eagle, also referred to as APT-C-36, is a Spanish-speaking group that allegedly attacks private and public sector entities in Colombia. Attacks orchestrated by the group have also targeted Ecuador, Chile and Spain.
Infection chains documented by Check Point and BlackBerry this year have revealed the use of spear-phishing baits to deliver commodity malware families such as BitRAT, AsyncRAT, and an in-memory Python loader capable of launching Meterpreter payloads.
The latest invention from ThreatMon requires using a JavaScript downloader to run PowerShell scripts hosted on the Discord CDN. The script, in turn, drops other PowerShell scripts and Windows batch files, and saves the VBScript file in the Windows startup folder to achieve persistence.
The VBScript code is then run to launch the batch file, which is then simplified to run the PowerShell script that was previously shipped with it. In the final stage, the PowerShell script is used to execute njRAT.
“njRAT, also known as Bladabindi is a remote access tool (RAT) with a user interface or trojan that allows the program holder to control the end user’s computer,” said the cybersecurity firm.
