Rewterz Threat Alert – Blind Eagle Threat Actor Targets Manufacturing Sector in North America with Ande Loader Malware – Active IOCs

Severity

High

Analysis Summary

A cybercriminal tracked as Blind Eagle has been discovered leveraging a loader malware named Ande Loader to propagate remote access trojans such as NjRAT and Remcos RAT. The attacks start with phishing emails and target Spanish-speaking users working in the manufacturing industry in North America.

Cybersecurity researchers explained, “The users received the phishing email that contained the link to download the RAR and BZ2 archives with a malicious VBS file inside.”

Blind Eagle, also known as APT-C-36, is a threat actor who is financially motivated and is infamous for carrying out cyberattacks against organizations and individuals in Ecuador and Colombia to spread a variety of RATs, like BitRAT, NjRAT, AsyncRAT, Remcos RAT, Lime RAT, and Quasar RAT. The latest discovery highlights an expansion of the attacker’s main targets because of utilizing phishing that contains RAR and BZ2 archives to initiate the infection chain.

The RAR archives are password-protected to seem legitimate and contain a malicious Visual Basic Script (VBScript) file capable of establishing persistence within the Windows Startup folder to launch the Ande Loader, which finally loads the Remcos RAT payload. In another observed attack sequence, a BZ2 archive that contains a VBScript file is propagated through a Discord content delivery network (CDN) link and the Ande Loader deploys NjRAT instead in this case.

It is interesting to note that the Blind Eagle threat actor has been utilizing crypters, one of them which has the hardcoded server that hosts both injector components of the crypters as well as the additional malware that was used in the Blind Eagle campaign.

The development comes as the inner workings of another loader malware named DBatLoader were uncovered with details of its use of a legitimate yet vulnerable driver linked to the RogueKiller AntiMalware software for terminating the security software in a Bring Your Own Vulnerable Driver (BYOVD) attack that delivered Remcos RAT in the end.

Impact

• Unauthorized Access
• Sensitive Data Theft

Indicators of Compromise

MD5

• 48b6064beec687fc110145cf7a19640d
• b8f878d1ee6a118f9eee4cf111193f53
• 4c30ea433832fb13b5d7637d3b13bead
• 2a59f2a51b96d9364e10182a063d9bec
• 99d3b2eb598775d41b18d57a9d1dc9ee
• e3962d6ecd509dcb7669b8df6dbb5c76
• a2994443fac8cf94f497dcf204ab818e
• 191d5bf5d3ab54549d436399bcab642d
• 137f21d1f8fdd5cfe86637368b526027
• 7b72f2775b7bf33c9778533480d34e04
• 76250bc5ea0235a90bc153e0d7262349

SHA-256

• 7dd847e9eba6ebe8c73c45b1e8fecce43e4b73ab92d48b383516e0a6a57b00d3
• 8615c695ff31d56f8af7e5344eefe32fff4860e6542c8e0a306f15eb54c196d5
• 9cc17764dbdbe3918a48e0f4990f13c1588527ae47aadbb2c03acaa93058a0fa
• 63670abff0794b9bff4fbff5b3d50cf3a27e900f706372ff2f5bb3aaf0080895
• 7e3a48c52da00a4dd8669103f0ba941aa824fcc097a18e7ea29f730492ba2a07
• f1ec023cf0bdbc9e2e019f42d3f693719b2cd2af62f55284052c67ca1ffbaacd
• 20549f237f3552570692e6e2bb31c4d2ddf8133c5f59f5914522e88239370514
• c5b11f830602e641f7d86a756da6b745d80ef6431be3f373be6912cab5f7acf5
• 8b6a909110ca907eb279cfb8f6db432af5564263e49c6982001b83fcffe04c07
• 54716a9a3a8fb7cc6be3074ea0472703ec03e1421d553b0dc6b3ebe7b1ec10bb
• f969d23545bbd4dbb627968c4831ddd1c4097fb1c426669b79e528500fe47be9

SHA-1

• 62165d7c94c7058be19fc08b5e21736ee643053c
• 1ea374eaeb67944fe6caedb373298079cac95b21
• a277d8897f6fee3d959e305f675add51dae44f28
• 0d58822d4a6c0a08e6ad7f700f4cad92682532ea
• 914169d0c83be989e0fe9a107ad661735dc96222
• 74e9752c90ddd1d59d46ad0efa3a1476d937c0ca
• d6209883219ea6b2e21c91329f0fa5b2d74d31eb
• d0000ad31f31f89684a4bdbbdc2bfec67f342400
• a8bf076482b60609b77ee379bade5490b47267c8
• 42b9a9ac5ecf0d6c03de38d204926a79aeff8de8
• 38b5b03cd44ebb22e2cb8126e6c8a667bb461818

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Passwords – Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.