Skip to content Skip to footer

Blind Eagle Exploits Ande Loader to Distribute RATs: eSentire Uncovers New Tactics

The notorious threat actor known as Blind Eagle has recently been observed utilizing a loader called Ande Loader to distribute remote access trojans () such as Remcos RAT and NjRAT. eSentire uncovered these attacks, which primarily target Spanish-speaking users in the North American manufacturing industry.

Blind Eagle, also known as -C-36, is a financially motivated threat actor with a history of launching against entities in Colombia and Ecuador. Their arsenal includes a variety of , such as AsyncRAT, BitRAT, Lime RAT, NjRAT, Remcos RAT, and Quasar RAT. However, their latest tactics involve emails containing RAR and BZ2 archives to initiate infection.

The RAR archives are password-protected and contain a malicious Visual Basic (VBScript) file that establishes persistence in the Startup folder and executes the Ande Loader. This loader then downloads and executes the Remcos RAT payload. In a different attack scenario, a BZ2 archive containing a VBScript file is distributed through a Discord content delivery network (CDN) link, deploying NjRAT instead of Remcos RAT.

According to eSentire, Blind Eagle has been utilizing crypters developed by Roda and Pjoao1578 to evade detection. One of these cryptos has a hardcoded server both injector components of the crypto and additional malware used in the Blind Eagle campaign.

In a separate incident, SonicWall uncovered the workings of another loader malware family called DBatLoader, which a vulnerable driver associated with RogueKiller AntiMalware software (truesight.sys) to disable security solutions and deliver Remcos RAT. The malware is typically offered as an email attachment and is heavily obfuscated with multiple layers of encryption.

These recent developments highlight the evolving tactics of threat actors and the need for organizations to stay vigilant and up-to-date with the latest security measures. 

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

We have no names, man. No names. We are nameless!Cereal

Deitasoft © 2024. All Rights Reserved.